Data protection and Brexit: What’s next?

Our technology policy officer Tim Hill looks at what happens with data protection should there be a no-deal Brexit.

Under the current Withdrawal Agreement between the EU and the UK, when the UK leaves the EU on 29 March 2019, EU law will continue to apply to personal data exchanged between the UK and EU before the end of the 21 month implementation (or transition) period.

If the UK leaves the EU without a deal, one of the issues that law firms and other businesses will need to consider is whether their cross-border data flows are compatible with data protection laws.

The Data Protection Act 2018 will remain on the statue book but the GDPR will no longer be directly applicable law in the UK because the UK will no longer be an EU member state.

However, the government plans to legislate for a UK version of the GDPR.

Following a no-deal Brexit without an agreement providing for further two-way flow of personal data, the UK will, in relation to EU data protection law, become a ‘third country’.

UK law firms exchanging personal data with countries in the European Economic Area (EEA) should therefore consider the contingency arrangements they may wish to put in place for ensuring the continuing lawfulness of these personal data transfers.

There are a number of options set out in the GDPR which have been summarised by the European Commission in a notice to stakeholders.

These include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) and derogations (the latter applying to EU data exporters only).

Additionally, the Information Commissioner has published a Six Steps to Take guide, a data protection and Brexit blog, a podcast, detailed guidance, a series of FAQs, and an interactive tool exploring the use of SCCs.

The Law Society has also published guidance for law firms.

The key messages from the ICO in their six steps are that you should:

continue to comply with the GDPR
review data flows and seek to ensure that data transfers into the UK from the EEA and from the UK to elsewhere are compliant
review the structure of any European operations you have
ensure that relevant documentation mirrors the new position (by rewording privacy notices, for example), and
raise organisational awareness of the issue.

The ICO’s interactive tool for looking at data transfers from the EEA to the UK is aimed at small and medium sized businesses and so may be a good place to start for many law firms.

You may also wish to review the Law Society’s no-deal Brexit guidance on data protection.

It makes a similar point about reviewing your data flows and identifying suitable safeguards to ensure that these flows can continue.

Other points cover:

consent as a lawful basis for processing where the consent was obtained before Brexit and does not explicitly deal with data transfers outside the EU
the need to review privacy policies
firms with offices in the EU and GDPR derogations (such as the possible impact of local variations in the GDPR)
lead supervisory authorities, and
the appointment of representatives.

These topics are also covered in depth in the ICO’s detailed guidance.

Tim Hill is the Law Society’s technology policy officer.

Data protection and Brexit: What’s next?

Related articles

A question of oversight

Why Mazur matters

Suspicious minds

More from Features

Compliance roles under the spotlight

Using section 43 orders in cases of sexual misconduct

AML: A tale of two regulators