18 January 2019
The UK government prepares for a no deal Brexit and aims to ensure the preservation of a functioning UK data protection regime.
As we know, the default position is that if there is no approved EU withdrawal deal by 29 March 2019, the UK will leave the EU on a 'no deal' basis. If a deal is agreed, we will go into a transition period during which it will effectively be business as usual. The DPA18 has already made provision for a UK version of the GDPR to replace the GDPR but there have been question marks as to how data transfers out of the UK would work.
In December 2018, the government published a second technical notice and ICO guidance on data protection and a no deal Brexit. These were followed by draft Regulations designed to implement the principles set out in the technical notice. The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 will come into force on exit day although if there is a transition period, application of all except the part relating to PECR will be delayed.
The UK's ICO has also published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a 'six step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. Further guidance will be provided to organisations currently relying on BCRs.
The UK government has done what it can to smooth the data protection path in the event of a no deal Brexit. Obviously it cannot exert control over the fact that the UK will become a third country for EEA purposes after Brexit and in the absence of an adequacy agreement (which we know the EU will not consider until after Brexit).
This helps UK businesses which export data but not those importing data from the EEA nor EEA businesses exporting personal data to the UK. These business will need to find a suitable data export mechanism (most likely Standard Contractual Clauses) and consider whether they will be required to appoint a representative. Cross-border businesses will also need to review the location of their Lead SA and their DPO if they have one.
We will be publishing detailed information and checklists about data protection and Brexit on our Global Data Hub in early February. If you would like to be added to the mailing list for this, please sign up here.
by multiple authors