Brexit’s impact on GDPR Compliance: what businesses should know

others   |   
Published January 27, 2020   |   

It wasn’t all that long ago that the EU’s General Data Protection Regulation (GDPR) went into full force, compelling multinational businesses and EU-centric companies to adapt their data procedures to comply. The changes also had a ripple effect on the rest of the world, leading most recently to the passage of the California Consumer Privacy Act (CCPA), which contains many similar provisions. For people in the big data world, it’s fair to say that GDPR and CCPA meant that the world was changing. And moving closer to a single standard for data privacy and the handling of personal information.

That doesn’t mean, however, that there aren’t going to be some bumps along the way. In fact, there’s one such bump coming for businesses in the United Kingdom in the form of Brexit. The country’s upcoming departure from the EU is causing havoc in a variety of places, from financial markets to the physical borders within the UK. It’s also causing headaches for firms that already adjusted to GDPR, and are now trying to figure out how it will apply to a post-Brexit UK.

To help, here’s an overview of what’s going to change. And what’s going to remain the same for data protection in the UK after Brexit finally happens.

GDPR and the Current Withdrawal Agreement

At the time of this writing, the UK and the EU have a withdrawal agreement in place that appears likely to make it through parliament in the UK. It would mean that Brexit will be a reality as of January 31, 2020. Among other things, the agreement has some provisions specific to GDPR within the UK. The most important parts pertain to the transition period after withdrawal, including:

  • A Defined Transition Period – Under the current agreement, all EU data and privacy regulations would remain in effect within the UK until at least December 31, 2020. That means that UK businesses and others with cross-border interests would have at least a year to make whatever changes will eventually become necessary.
  • EU Precedent Will Remain – During the transition period, the UK has agreed that all precedent stemming from enforcement of the GDPR by the European Court of Justice will remain in effect. That means that recent decisions such as the finding that a pre-checked checkbox doesn’t constitute consent to a cookie policy will still remain relevant after Brexit within the UK.
  • Changes to EU Regulations Still Apply – It’s also important to note that any changes the EU makes to GDPR or any related legislation will still apply to the UK until the end of the transition period.
  • A Non-Discrimination Clause – During the transition, EU member states agree not to discriminate against UK-based businesses in their application of GDPR provisions.

In short, the withdrawal agreement means that UK businesses won’t see any changes to their obligations under GDPR. But only for a period of one year from withdrawal. While that should provide some clarity and stability for affected companies, it says little about what will come next.

The Post-Transition Period

The withdrawal agreement, as it stands now, says little about what will happen after the pre-defined transition period. On that front, here’s what’s known so far. To facilitate the future flow of data between the UK and EU member states, the withdrawal agreement commits the EU to start the process of an adequacy assessment of the UK’s existing data privacy laws. The goal is to have an adequacy decision in place by the time the transition period ends.

In practice, this means that the UK may work to update the Data Protection Act of 2018 (DPA), which was its local legislative application of the original GDPR. There are already several key differences between the act and GDPR itself, which include some additional provisions and notable exemptions that already apply within the UK. It’s not yet known what the UK will have to change (if anything) to secure an EU adequacy decision. But whatever shape data regulations in the UK take after the transition period, everything will begin with the DPA.

The Future of UK-EU Data Operations

There is one major takeaway of the current state of affairs that businesses should take note of. It’s that the only real certainty right now is during the transition period that will last until December of 2020. After that, if an adequacy decision isn’t granted to the UK, data transfers from the EU to the UK would be restricted immediately. That alone should be enough reason for affected businesses to begin segregating their data. It’ll make it easier to comply with the law, regardless of how things ultimately work out.

Better still, it could be advantageous to preemptively move data operations out of the UK entirely. Instead, move them into an EU member nation. Since there will be no restrictions on UK citizens having their data stored there after the transition. That may well be the only way for digital businesses with interests in the UK and EU to bulletproof their compliance measures. Without knowing the outcome of the complex Brexit process. If the uncertainty that’s been the hallmark of Brexit so far is any indication, now’s the time to act – and the clock is already ticking.