• Send us a message

    Fill in our form and we'll get back to you as soon as possible

    Please enter name
    Please enter your telephone number
    Please enter your email address
    Please let us know which of offices would most convenient for you?
    Please enter the details of your enquiry
    Please enter the verification code
    Send us a message
  • Services for you
  • Services for business

Implications of a 'no deal' Brexit on the processing of personal data

Legal update: Implications of a ‘no deal’ Brexit on the processing of personal data

The introduction of the General Data Protection Regulation (EU) 2016/679 (GDPR) in May 2018, supplemented by UK legislation in the form of the Data Protection Act 2018, has been one of the most discussed legal changes in the United Kingdom and European Union. In the months leading up to the implementation of GDPR and since, companies that control or process the personal data of individuals residing in the EU have been required to take steps to ensure their policies and systems are GDPR compliant.

 

If you require further legal advice, please contact our specialist Commercial Department today on 01329 282 841 or hello@glanvilles.co.uk.

 

The UK is due to leave the EU on 29 March 2019 and on 30 March 2019 the “transition period” will begin, to last until 31 December 2020. During the transition period the UK will continue to be governed by EU law but if a deal is not reached the UK will become a third country and new rules will apply to the transfer of personal data.

As it stands, transfers of personal data within the EU are not restricted but transfers of personal data outside the EU to third countries are only permitted if there is a legal basis for the transfer. Both positions are explained further below.

This update provides an overview of the position on transferring personal data both pre and post Brexit, the implications of a ‘no-deal’ Brexit on transfers and what you can do to protect your organisation and allow for the free transfer of personal data should there be a ‘no-deal’ Brexit.

 

Current position (pre-Brexit)

GDPR has incorporated more comprehensive rules on the transfer of personal data than the previous Data Protection Act 1998. For example it added the accountability principle, although many of the principles remain the same. Currently there are no restrictions on the transfer of personal data between EU countries as long as the following 7 key principles are followed:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality (security); and
  • accountability.

 

Until 29 March 2019 the UK remains a member of the EU and subject to the above principles for the transfer of personal data between other EU countries, without further restrictions.

If you are not sure whether your business is following the current principles on the transfer of personal data, our Glanvilles Corporate team is able to assist and advise.

 

Withdrawal agreement

There have been ongoing negotiations between the UK and the EU to secure a withdrawal agreement setting out the arrangements for the UK’s exit from the EU for the transition period and beyond. One of the issues to be included in the agreement concerns the continuation of the transfer of personal data from EU countries to the UK post-Brexit.

The draft withdrawal agreement provides that GDPR will remain applicable in the UK during the transition period and, after the transition period, GDPR will continue to apply in the UK for processing personal data of individuals outside of the UK provided that the personal data:

  • were processed in accordance with EU law in the UK before the end of the transition period; or
  • are processed in the UK after the end of the transition period on the basis of the withdrawal agreement.

On the basis that the withdrawal agreement is agreed, there should be no or minimal implications on data processing between the UK and EU countries after Brexit.

 

A ‘no-deal’ Brexit

As the Brexit date draws closer with negotiations for the withdrawal agreement yet to be finalised, the Government has issued guidance stating that they have a duty to prepare for a ‘no-deal’ Brexit whereby a withdrawal agreement is not agreed.

Although there would be no implications of a ‘no-deal’ Brexit on the transfer of personal data in the UK immediately as the EU Withdrawal Act will incorporate GDPR into UK law, a ‘no-deal’ Brexit does not come without implications for EU countries. Companies or subsidiaries in EU countries would have no obligation to continue to send personal data to the UK.

 

Adequacy decision

If a ‘no-deal’ Brexit occurs and the UK becomes a third country, the European Commission must assess the UK’s level of personal data protection and deem it adequate in order to allow the transfer of personal data from EU countries to the UK without restrictions.

The European Commission is not able to take a decision on adequacy until after the UK becomes a third country. It is therefore likely that there will be a delay after a ‘no-deal’ Brexit whilst the European Commission carries out its assessment.

 

Safeguards

If the UK’s data protection level is not deemed ‘adequate’ upon exit from the EU, appropriate safeguards must be met in order to allow personal data to be transferred from an EU country to the UK. It is the responsibility of each organisation to ensure that the safeguards are put in place in order to comply with the ‘legal basis’ requirement. The safeguards may be provided by the following mechanisms:

  • standard data protection clauses (as approved by the European Commission);
  • binding corporate rules;
  • approved codes of conduct (as approved by the relevant data protection authority); or
  • approved certification mechanisms such as a data seal.

The Government has issued some guidance explaining that, if the UK becomes a third country upon leaving the EU, UK organisations should identify a legal basis for the transfer of personal data through at least one of the above safeguards. Organisations should prepare for this possibility.

 

At Glanvilles we understand that these requirements are not straightforward. Our Corporate team is able to provide assistance and advice on the measures your organisation can take to ensure there is a legal basis for you to receive personal data from EU countries if the UK leaves the EU without a Brexit deal.

If you require further legal advice, please contact our specialist Commercial Department today on 01329 282 841 or hello@glanvilles.co.uk.