The General Data Protection Regulation (GDPR) will become part of UK law on 25 May 2018, but many businesses will undoubtedly be wondering how the new laws will be affected by Brexit.
As most companies are involved with personal data in some form or other, they will need to be aware of the many issues surrounding data protection and what is likely to happen when the UK leaves the EU. Here we explain that a close watch on Brexit is essential to an organisation’s data strategy.
Is personal data relevant for UK businesses?
Protecting personal data is absolutely essential in today’s ever-changing technological landscape, as it becomes more and more valuable and therefore at greater risk of exploitation. That’s why so much has been invested in Brussels, London and elsewhere to develop the law to protect us from the more unpleasant consequences of being part of a data-driven society.
But just looking at GDPR does not tell us the possible effects of Brexit on data protection.
Many businesses are highly reliant on personal data and often access or process data across the EU, either because they import or export to an EU country, or even if they store their personal data on a server in an EU country such as the Republic of Ireland. Approximately three-quarters of the UK’s cross border data flows are with EU countries.
Could Brexit mean you lose access to your personal data?
It’s a possibility. The Government has emphasised that it wants to maintain the flow of data between the UK and the EU after Brexit. But the legal process will be more complicated than it is at present, so the flow of data flow is likely to be hindered.
How will the data flow be interrupted?
When the UK leaves the EU, we will be classed as a ‘third country’ for the purposes of personal data. Because of this, the UK will no longer automatically be treated as having an adequate level of protection for personal data to be transferred to it from the EU.
To help resolve this problem, our Government could obtain an ‘adequacy decision’ from the European Commission, which would permit data to flow in the same way as now. But this would take time, and an adequacy decision does not appear to be an immediate priority. And with the Government’s intention to exclude the Charter of Fundamental Rights from EU retained law, obtaining that decision will be difficult because personal data rights in the EU are inextricably linked with the Charter.
How will parallel data protection regimes impact on your business?
The Data Protection Bill 2017-19 was introduced in September with the intention of bringing the GDPR into UK law after Brexit. Before Brexit, GDPR will automatically become part of UK law in May 2018, without any involvement from the UK Parliament.
The new Data Protection Act will set out to address issues associated with personal data from 2019. But, in order to maintain uninterrupted data flow with the EU, the UK may have to align its data protection rules with EU rules (which will of course be developed without any input from the UK).
Could you still be subject to GDPR after the UK leaves the EU?
After Brexit, the GDPR will continue to apply to UK companies who process data in ways that bring them within its scope, even if they are not established inside the EU. Businesses that trade with the EU will have to comply with both UK and EU data laws. Any companies found to be non-compliant with GDPR will face fines of up to 4% of their annual global turnover or €20million (whichever is greater).
Sarah Gunton, Commercial Solicitor, Harper James Solicitors
DISCLAIMER: This article should not be regarded as constituting legal advice in relation to particular circumstances. This article is merely a general comment on the relevant topic. If specific advice is required in connection with any of the matters covered in this article, please speak to Harper James Solicitors directly.