Brexit and the GDPR

October 23, 2020

Are you in one of these situations?

I am a UK Company and I will need an EU Data Protection Representative

I am an EU Company and I will need a UK Data Protection Representative

I am a non-EU and non-UK company and I will need one or two Data Protection Representatives

Read below to know what you should do!

What Does Brexit Mean For Your Business?

Brexit will change almost every core function for UK companies that do business with the EU: from trade to regulation, hiring and transport, there’s almost nothing that goes untouched by the withdrawal from the EU and the single market. Data protection is unlikely to be at the forefront of companies’ minds during this period, but there are real issues facing data controllers and processors thanks to the GDPR.

During the transition period (i.e. until 31 December 2020), the GDPR continues to apply to the UK. However, the relationship between the GDPR and Brexit beginning in 2021 is unsettled. The UK is no longer a ‘Member State’ and will be considered as a third country” for GDPR purposes as from 1 January 2021. It will therefore need to negotiate adequacy status with the EU. What this entails and how long it will take is largely up in the air, as both parties must agree on a solution. Until then, data transfers from the EU to the UK will become infinitely more complicated.

Here’s what you need to know about the GDPR and Brexit!

You may need to appoint two Data Protection Representatives!

  • Given that the UK will become a third country on 1 January 2021, UK companies will have to appoint a GDPR Article 27 EU Representative if they deal with personal data from the EU;
  • EU companies that do business with the UK and process UK personal data will have to appoint a UK Representative, as the UK Government intends to require such an appointment when the Brexit transition period ends (i.e. 31 December 2020). 
  • Companies that are located outside the EU or the UK need to appoint two Data Protection Representatives if they do business with the EU and the UK.

EDPO can act as both your EU Representative and/or UK Representative!

Appoint EDPO as your Data Protection Representative before the end of the Brexit transition period and you will get two Data Protection Representatives for the price of one!

Will the GDPR Apply After Brexit?

Yes, the GDPR will still apply to UK businesses after Brexit.

UK organisations will still need to meet the demands of the GDPR if they offer products or services to individuals who are in the EU or if they monitor the behaviour of such individuals. As a result, most UK organisations will still need to be GDPR compliant regardless of any trade or Brexit deals. This is already true for third countries, which the UK will become as from 1 January 2021.

The third-country status will bring significant changes for UK data controllers and processors because they will be subject to cross-border data transfer requirements and they may have to appoint a GDPR representative in the EU.

The UK: A Safe Place for Data Post-Brexit?

The GDPR requires that data transfers to any third country occur only with countries designated as ‘adequate’ by the European Commission.

Countries with adequacy are those that use an EU-equivalent level of data protection. As a result, they aren’t bound by Article 46 and 47 of the GDPR, and data can flow between the EU and these countries without limits or checks. At present, countries recognized as being adequate for data transfers include Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.

Canada and Japan are also included, but there are limitations to data transfers to these countries. In Canada, only commercial organisations benefit. In Japan, the adequacy decision only covers private sector organisations.

The U.S. was also included via the US-EU Privacy Shield – but only for U.S. companies that signed up to the framework – but this mechanism was recently invalidated by the Court of Justice of the EU, meaning that data transfers between the EU and the US are no longer considered as safe or protected, unless appropriate safeguards are put in place and if the rights of individuals are enforceable, and effective legal remedies are available.

What comes next for the UK will depend on any data protection agreements worked out in the transition period. The UK already uses the Data Protection Act 2018, which issued requirements similar to the GDPR in terms of privacy and transparency.

However, the most comprehensive understanding of what will be the UK version of the GDPR can currently be found in the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019.

Will Companies Be Able to Send Data Between the UK and the EU?

At present, the UK government does not intend to consider the EU as a third country in terms of UK data processing. As a result, UK companies will be able to continue sending data to the EU. However, the EU has not reciprocated this commitment, which means that EU data transfers to the UK will face restrictions.

The results are likely to be messy. UK-based organisations will struggle to serve customers within the EU. It will also present unique challenges on the island of Ireland as well as for Gibraltar/Spain, where ties with the EU are intimate.

Lifting the restrictions will depend on the UK and each relevant company meeting the EU’s safeguards for supporting data transfers. The requirements for third country data transfers are detailed in Chapter V of the GDPR.

When Will the Data Transfer Rules Change?

The Withdrawal Agreement acknowledged by the EU and the UK government stipulated a transition period to last from January 31, 2020 to December 31, 2020. During this period, the UK agreed to continue following EU laws and regulations despite the ‘exit’ taking place in January 2021. As from 1 January 2021, the UK will be a third country.

As a result, data transfers (and the provisions or rights) continue as normal for both EU and UK companies and residents for the duration of 2020, until the end of the transition period.

However, there will not be a clean break. Any EU-originating data in the UK prior to the end of the transition period will still benefit from the GDPR as written and amended by the EU. The product is a backstop that continues to protect the privacy of individuals in the EU regardless of the outcome of negotiations for 2021 and beyond.

Ideally, the GDPR will then be superseded by the UK’s adequacy decision, granted by the EU. 

I am a UK company: what should I do?

If your UK company doesn’t have an establishment in the EU and you intend to process the personal data of individuals in the EU (including UK citizens living within the EU), then you will most likely have to appoint an EU representative.

An EU representative is NOT a Data Protection Officer (DPO). Instead, an EU representative is a natural person or body within the EU who is your point of contact for individuals in Europe, as well as regulators. (A DPO works with your company or organisation to facilitate compliance.)

UK companies will not already have an EU representative because there is no need for one as long as they are not located in a third country.

To be compliant with the GDPR, you will need a representative in place by the end of the transition period, unless you can claim the application of the restrictive and cumulative exceptions of Article 27(2) of the GDPR.

Take our quick assessment test to find out if you need to appoint a GDPR EU representative.

I am an EU/EEA company: what should I do?

Similarly to the GDPR, organisations that become subject to the UK-GDPR by the end of the transition period (i.e. as from 1 January 2021) will need to appoint a UK Representative.

The UK’s data protection authority (ICO) confirms that “the UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”

Everything is uncertain but as of now, a UK Representative will be needed for all companies offering products or services in the UK and dealing with UK personal data.

My company is not located in the EU or in the UK: what should I do?

Companies that do not have an establishment in the UK or in the EU will need to appoint a least one Data Protection Representative if they process personal data in one or both of these locations.

If you only process data in the EU, then you will only need to appoint an EU Representative.

Similarly, if you process personal data in the UK only, you will only need to appoint a UK Representative.

However, if you process personal data in both places, you will need both an EU and a UK Representative.

EDPO offers both EU Representative and UK Representative services. If you sign up for either the EU or UK Representative services before the end of the transition period, you will get the second Representative services at no extra cost!

Click here to find out more about our Services!

Your obligations in a nutshell

Follow us on Linkedin for daily breaking GDPR news!

Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!