With the UK planning on leaving the EU questions have been raised over the impact of the GDPR in the UK when they are no longer part of the EU, and the implications for cross-border trade.
This post dives into the weeds of data protection under an impending Brexit to see what a deal or no-deal outcome would mean for data protection in the UK, and possibly your business.
Will the GDPR apply to the UK after Brexit?
Yes. The GDPR applies now, and it will still apply to the UK post-Brexit.
Currently, the UK has adopted the UK Data Protection Act 2018 (DPA 2018) which incorporates the GDPR into UK national law (along with some caveats). Once Brexit happens, the GDPR will become UK national law as stipulated by the EU Withdrawal Act 2018 (EUWA).
What if I want to transfer personal data from the EEA to the UK?
The UK ICO has provided some guidance for navigating this grey area. They caution that companies relying on EEA-to-UK data transfers ‘will need to carefully consider alternative transfer mechanisms to maintain data flows.’ There are a few specific ‘transfer mechanisms’ that the ICO has in mind here:
- Standard Contractual Clauses: The ICO also published a guide to using SCCs, but the gist is fairly simple. SCCs are basically a mechanism for UK businesses to ensure GDPR compliance, even with no Brexit deal. They are a series of terms and conditions that oblige both parties to adhere to GDPR data protection rules.
- Binding Corporate Rules: Geared toward larger companies, BCR’s are particularly useful for corporations with multiple subsidiaries. It allows them to institute a single set of blanket rules for data transfers and the treatment of personal data for all the organizations under their jurisdiction (as well as the businesses with which they work).
- Q: What if I’m not sure if I have EU clients?
A: If you’re not sure whether you have EU clients (and therefore need to comply with the GDPR), the GDPR would also look at whether you might target people in the EU. For instance, do you accept payment in euros? Do you have a web domain in an EU country as well as your.co.uk? If so, then the GDPR will probably say that you’re targeting people in the EU and need to comply with the GDPR, regardless of whether you know for sure that you have EU citizens’ personal data.
- Q: The headquarters of my company are in the EU, but my branch is in the UK. Do I still have to operate as a business in a “third country”?
A: It depends. If you transfer EU residents’ personal data from your HQ to your UK branch, then you do need to regard that transfer as a “third country” transfer. But if you can make sure that personal data of people in the EU is processed only by people in your headquarters and on servers in the EU, then you don’t need to worry about third country transfers to the UK. However, it’s unlikely that you’ll be able to do this because of the expansive definition of “processing”, which includes accessing, disclosing, storing, or doing anything to (or with) the personal data. This kind of data is not usually efficient or manageable for a business. We’d recommend covering data transfers within all your offices with a single set of Binding Corporate Rules (BCRs) so you don’t have to worry about slipping up and accidentally transferring data to a ‘third country’ (the UK) without proper contractual safeguards in place. Your business might already have specific BCR’s that indicate proper treatment of your customer’s data, but that is something for you to verify. Until the UK eventually achieves adequacy, you will operate under the guidelines that address third countries.
- Q: Do I have to abide by the DPA 2018 if I am an EEA business with UK clients?
A: Yes, you will. It’s important to remember that simply complying with the GDPR at face value doesn’t necessarily mean you’ll comply with the DPA 2018. The GDPR allows the UK to deviate from the GDPR in certain areas. (Here’s a list of the differences between the UK DPA 2018 and the GDPR.)
- Q: How is the DPA different from GDPR?
A: The DPA lowered the legal age at which someone can consent to data processing from 16, as the GDPR specified, to 13. The DPA also specifies the GDPR’s applicability to certain intentionally ambiguous areas like law enforcement, intelligence, and immigration. It makes changes to employment law, allowing businesses to process special categories of data (like race, sexual orientation, health data, and more) where it’s necessary for rights and obligations related to employment. A more detailed summary of the derogations made in the DPA can be found here.
- Q: What set of rules do I need to comply with right now (pre-Brexit) if I only have UK citizens as clients?
A: You should comply with the guidelines set forth in the DPA 2018 (therefore also complying with GDPR).
- Q: I’m a US company, and I service UK citizen’s data. What regulations do I need to abide by?
A: You need to follow the UK DPA 2018 as well as any relevant US regulations. In the US, your regulatory requirements follow a sectoral approach, so the regulations you’ll have to follow will depend on the type of business you have. Also bear in mind that following the UK DPA 2018 also means that you’ll need to meet GDPR requirements.
If you’re worried about doing data mapping, setting up SCCs or BCRs, or generally figuring out what to do, Sovy is here to help.
The GDPR Essentials Package helps you make sure you’re on the right side of compliance. You’ll get access to the Sovy Hub, and from there you’ll be able to craft all policies required by the GDPR and DPA 2018.
You’ll also have access to a suite of regulatory guidance documents and eLearning courses for more detailed education on tough-to-navigate areas of the law in a layman friendly way.