Brexit introduces a host of uncertainties for businesses in the UK, in the remaining EU states, and in other countries that do business with the UK and the wider EU. Data protection has been a particular point of focus in the past year, due to the introduction of GDPR.
GDPR became applicable law on May 25, 2018, after a two year transition period. On implementation, it became law in all 28 member states, with no need for transposition into local law (though several countries did exactly this). The UK instantiated GDPR in its Data Protection Act (DPA) 2018, passed on May 23, 2018.
What is the impact of Brexit on GDPR, from a UK perspective? The short answer is not much: companies will still have to comply, Brexit or not. GDPR is implemented in the UK’s DPA law, which will persist after Brexit happens (scheduled for March 29, 2019). Since GDPR and the UK’s DPA are (mostly*) identical, compliance with GDPR on March 28 should translate to DPA compliance on March 29. So far, so easy.
The somewhat longer answer is, it depends. If a UK business moves data to, or receives data from, the EU 27 after Brexit, then it is engaged in data transfers, which are one of the areas most scrutinised by the regulators. Data moved to the EU automatically becomes in scope of GDPR, irrespective of its origin. Data received from the EU must comply with GDPR and it is illegal for an EU 27 firm to export data to a so-called “third country” without specific legal safeguards in place. Since post-Brexit UK will be a third country, UK companies will be subject to these safeguards.
The first safeguard measure is “adequacy,” a test of legal data protection equivalence in the receiving third country. Only a handful of countries today have adequacy. The UK may apply for adequacy, but it is not clear whether it would receive this status. The UK’s approach to citizen surveillance (via the Investigatory Powers Act 2016) and its intention to withdraw from the EU Charter of Fundamental Rights (on which GDPR is based) are the primary barriers. Although the Information Commissioners Office (ICO, the UK regulator) wishes to achieve adequacy, ultimately this is a political decision. An alternative to adequacy could be a specific bilateral agreement between the UK and the EU, similar to EU-US Privacy Shield.
The other legal safeguard measures operate at a company level: Binding Corporate Rules, Standard Model Contract Clauses, Codes of Conduct, and so on. All of these measures are non-trivial for companies to implement.
Our view is that companies should assume that GDPR, as implemented in the UK DPA, will persist for the foreseeable future, post-Brexit. Day-to-day compliance requirements will not change (much, or at all). However, for those companies engaged in receiving data transfers from the EU, additional focus must be given to the legal safeguards required. Companies may take a wait-and-see approach, but may wish to familiarise themselves with – at least -- Standard Model Contract Clauses. Should a no-deal Brexit result occur, such firms would not be able to receive EU data transfers without a legal safeguard measure in place.
Brexit, GDPR and the cloud
Data transfers include the movement of data into and from cloud services and other third party suppliers. UK cloud service providers with EU 27 customers must therefore assume that they are in receipt of personal data that must comply with GDPR data transfer rules. That is, additional legal safeguards must be in place. UK end-users must ensure that their cloud providers will continue to be GDPR/DPA compliant after Brexit. And EU 27 end-user firms must ascertain the compliance and legal safeguarding credentials of their suppliers.
*There are some differences, so check with the ICO to see if these are relevant to you. For the avoidance of doubt, Forcepoint does not provide legal advice.