Brexit : is the UK leaving the GDPR too ?


On the 15th of January 2019, British parliament has voted massively against the Brexit deal UK Prime minister Theresa May has been negotiating for months now.

This means the “no deal scenario” is getting more relevant than ever.

Apart from all the economic consequences, there will also be a huge impact on the transfer of personal data between the EU and the UK. 

In the event of a no deal Brexit, on 29 March 2019 the EU GDPR (the EU’s General Data Protection Regulation) will be brought into law in the UK through the European Union (Withdrawal) Act 2019. If a withdrawal agreement comes into effect, and with it a transition period, the EU GDPR may also continue to be applicable in the UK as an instrument of EU legislation. 

But on the expiry of any such transition period, or in the event of a no deal Brexit, the country will have its own, standalone regime - rooted in the EU GDPR but capable of modification by future UK governments (the “UK GDPR”).

In this case, the UK becomes a “third country” as described in chapter V of the EU GDPR

That would mean that any transfer of personal data between the EU and the UK must meet one of the legal requirements as set out in the EU GDPR.

On the 13th of December 2018, the UK government already stated that they will grant an adequacy decision to the 27 EU member states in case of a no deal scenario.

This decisions states that: 

  •  the EEA Member States are recognized as “adequate” for the purpose of the UK GDPR (allowing the free flow of personal data from the UK to the EEA)

  • the UK will adopt adequacy decisions to date by the EU, allowing transfers of personal data to continue from the UK to countries such as Guernsey, Israel and US companies which are Privacy Shield signatories

  • they will recognize the EU standard contractual clauses as a valid means of transferring personal data from the UK to international recipients outside of the EEA

However, no indications so far show that the EU will mirror these statements.
In this case, multiple scenarios are possible and these scenarios will determine what companies will need to do to remain compliant:

  1. The EU grants the UK an adequacy decision. Meaning : the EU considers that the UK adequately protects data, so transfer of personal data can be continued without any further protective measures.

    However, the EU already made clear that this is not going to happen in short notice, as they have no guarantees that UK legislation will continue to protect data in the same way Europe does.
    The procedure to grant an adequacy decision could start no sooner than the 29th of March 2019, when the Brexit official is a fact and typically takes several months, if not years.

  2. More likely: No deal and no adequacy decision, so the UK becomes a third country and companies processing personal data from people in Europe, will need to comply to the GDPR on their own.

    • Appoint representatives
      Both the EU GDPR and the UK GDPR will require controllers to appoint representatives as required by Article 3(2) of the EU GDPR. UK GDPR will replicate this requirement.

    • Relations with supervisory authorities
      Organizations that are in scope of both EU GDPR and UK GDPR after the Brexit (regardless of the “deal” or “no deal” scenario) will be under the jurisdiction of at least two supervisory authorities.
      As long as it remains unclear how this will be handled, companies will need to comply with the ICO for the UK part, and choose a lead supervisory authority in the 27 remaining EU countries for any cross-border transactions.

    • Role of the DPO

      Where a DPO has been appointed, organizations should consider whether that DPO can still perform that role under both regimes, given that in the future, that person will need to have suitable expertise in both EU and UK privacy laws.

    • Remain compliant

      On Brexit, a number of steps are important to remain compliant, both for companies in Europe and in the UK :

  • Update your existing policies and procedures like privacy notices, register of processing activities, Binding Corporate Rules etc…

  • Make sure you have appropriate safeguards in place when transferring data to and from the UK

  • For UK companies operating across Europe: review structure, processing operations and data flows to make sure they apply to the changed situation.

  • Review all privacy information and internal documentation to identify and details that will need updating on Brexit

Both the ICO (Information Commissioner’s Office) and the Irish Data Protection Commission have posted guidelines on what British companies should do if that becomes reality on the 29th of March 2019.

GDPR is dead, long live GDPR

GDPR 2019.png

First of all, at the start of this new year, it is time to wish you 

The very best for 2019.

Now with this new year, most of the GDPR hype is over, we got rid of all the emails requesting for our consent and the media have discovered other items to talk about.

For those that have already gone through the effort of adapting their way of working to make it GDPR compliant: congratulations!

For the others:

The best time to prepare for GDPR was yesterday.

The next best time is today …

As the deadline of 25thof May is already long overdue, there is no more need for quick and dirty solutions, we can stop all the window-dressing and set up a decent organization, in line with the company standards and above all, with a pragmatic approach that does not disrupt our business.

We are lucky in Belgium that our DPA in Belgium (Data Protection Authority), has not started massive controls yet, so that gives us a little breathing space to get compliant.

But that should not at all be an excuse for ignorance!

As said before, if you go through the process of getting GDPR compliant just to avoid the fines, you haven’t understood the message.

Your employees, your customers, and all your other contacts deserve respect for their privacy and the (personal) data they entrust you. They are the ones that will benefit from this project and they will finally decide if they want to continue doing business with you…

Now, what are the top 5 items to focus on in 2019:

  1. Have your privacy and cookie policies updated in line with GDPR

    By doing this, your visitors know what happens with the data they leave behind, and you already give a clear signal that you care.

  2. Negotiate the necessary data processing agreements

    All subcontractors involved in the processing of personal data on your behalf should sign one.
    Not only will they be motivated to respect the rules on processing of your personal data, but you will also have a better insight in the quality of your subcontractors

  3. Have an information security framework in place.

    We based our approach on ISO27001, a worldwide renowned framework that will give you a clear overview of your current security status. This will be a baseline for further improvements and will provide an extra security guarantee to your customers

  4. Setup a risk management platform

    We call it a DPIA (Data processing impact analysis) but here again, you will benefit twice, as they will provide you with much more management information than what is required for the GDPR

  5. Start creating privacy wareness on all levels.

    GDPR is not a project for legal and IT departments. They are the ones leading the way, but they can only succeed when everyone within the organization is involved.

Now, how about outsourcing this project? 

We are best placed to take it out of your hands, so you can focus on your core activities.

Our team of highly experienced specialists has all the templates ready, can organize the necessary trainings and workshops and has you up and running in no time …

Contact us to get a detailed budget estimation, you might be pleasantly surprised …