GDPR and Brexit: Managing the Personal Data of EU Citizens
Brexit has spawned lots of questions surrounding the GDPR. Unless you’ve been living under a rock for the past couple of years, you’ll have read and heard a lot about the impact of the EU General Data Protection Regulation (GDPR), which came into force on May 25, 2018. But with GDPR being an EU regulation, will UK businesses still have to comply with GDPR rules after Brexit?
The short answer is yes, businesses in the UK will still have to comply with GDPR rules even after Brexit. But, in some cases, the specifics of how your company handles data may change slightly after Brexit.
Recognizing that GDPR is enshrined in UK law and Brexit won’t change that
In a nutshell, GDPR is designed to give every EU citizen greater control over his or her personal data, including name, date of birth, and email address. It ensures that companies can’t store and use the personal data of EU citizens without their explicit consent, and promotes the fair, transparent use of personal data.
The fact that UK citizens will no longer be EU citizens after Brexit doesn’t matter. Implementation of GDPR in the UK is covered by the UK Parliament’s Data Protection Act 2018. So, GDPR is already written into UK law, and the government has committed to maintaining GDPR compliance in the UK. This ensures that UK citizens will continue to get all the same protections as their EU neighbors, when it comes to the fair use of their data.
This means all the protocols you’ve put in place to lawfully handle the data of your customers (whether they’re in Europe or the UK) will still apply, and you should absolutely maintain compliance with GDPR.
But why continue with something that originated as EU law when so much of the rhetoric surrounding Brexit was about “taking back control”? The cynical answer is that businesses and public bodies in the UK have already spent millions ensuring their data practices were fully compliant with GDPR. If the government backtracked on GDPR now, it would mean all that expenditure was pointless. After all the time, effort, and money spent, it would be crazy to “undo” GDPR in the UK.
The less cynical answer is that GDPR is a good thing, for organizations and for individuals. Sure, it brings additional burdens in terms of compliance, but there’s no doubt it provides important protections for citizens’ private data. As technology advances and the world becomes increasingly driven by data, these protections will only become more valuable.
It’s also important to remember that any close relationship between the UK and the EU going forward is likely to be dependent upon both parties having similar regulatory systems. Therefore, GDPR is just one area where British businesses will effectively be operating in line with European businesses.
Transferring data between the UK and the EU after Brexit
Broadly speaking, how UK businesses handle personal data will stay the same. But there’s a big uncertainty around what happens to businesses that transfer data between the UK and the remaining EU27 countries after Brexit (for example, if a company has offices in the UK and Europe, or if a UK business uses a cloud service provider based in the EU).
Under GDPR, data cannot be transferred between the EU and third countries (non-EU countries) unless those countries have been deemed to have “adequate” data protections in place.
In the less likely event of a no-deal Brexit, the UK will immediately be considered a third country, which means that the European Commission will need to assess that the UK has adequate levels of protection in order for the smooth transfer of data to continue. (In theory, the Data Protection Act ensures that the UK does provide an adequate level of protection, but as with so much of Brexit, it’s a case of wait and see whether this plays out in reality.)
And if the UK does exit with a withdrawal agreement in place, then, for the duration of any transition period, data transfers can continue as normal.
Stay up to date on the latest GDPR advice by visiting the following sites:
- Amendments to UK data protection law in the event the UK leaves the EU without a deal
- International data transfers