Unsurprisingly, given the events of 2020, the impact of Brexit has slipped from people's radar slightly, but the expiry of the withdrawal period is fast approaching. One of the many changes for organisations to address will be the impact on how personal data is protected.

Does Brexit change the law on data protection?

Many organisations have spent time and money understanding the requirements of the General Data Protection Regulation (GDPR) and putting measures in place to achieve and evidence compliance. That work has not been in vain, as the principles of GDPR are effectively replicated into United Kingdom law and so will continue to apply when the withdrawal period ends on 31 December 2020.

However, EU law has long provided for the sharing of personal data between EU Member States without undue concern given that everyone was bound by EU law - only transfers to 'third countries' outside Europe require additional safeguards to ensure the recipient has sufficient measures in place to guarantee adequate protections for personal data. Unless the UK government gains the EU's approval imminently, known as a 'finding of adequacy', the UK will be considered a third country, as of 1 January 2021.

Transfers of data

The UK has confirmed it intends to recognise existing EU findings of adequacy, and may also make its own. The most important point here is that transfers of personal data from the UK to someone based in the EU - for example, a distributor, a supplier of business support services or a hosting provider - will not require any additional safeguard.

Less simple is the reverse position, where those parties may want to transfer personal data back to your organisation; transfers from the EU to the UK do not benefit from the same blanket approval. If a finding of adequacy for the UK is issued this year, then the barrier is removed and personal data can flow freely between EU and UK without additional measures in place. If that does not happen, transfers of personal data from an EU country to the UK will be unlawful without an appropriate safeguard in place.

The most common safeguard is the use of standard contractual clauses, or 'model clauses', being additional contractual obligations on the parties sharing and receiving data, pre-approved by the EU as ensuring adequate protection. We await revised form model clauses but, in the meantime, two sets of clauses are available, for controller-controller and controller-processor relationships. There are conditions for ensuring these clauses bridge the compliance gap, so you would be wise to check with a legal professional on how best to go about implementing model clauses in relationships you identify as presenting a potential risk.

Local representatives

If your organisation offers goods or service to individuals in Europe, or monitors their behaviour, but you are based solely within the UK, you will still be bound by the EU version of the GDPR, as the EU may update it going forwards. You should also formally appoint a suitable representative (individual or company) in a relevant EU country to act on your behalf when dealing with the local regulator and local individuals, and make available contact details for that representative in your privacy policy.

Similarly, if you are based only in Europe but processing personal data relating to individuals within the UK, it looks likely that a UK representative will be required.

Remember your privacy policy

Consider any privacy policy updates that may be necessary as a result of Brexit-related changes. In keeping with the obligations to act fairly and transparently, privacy policies must be kept under review so they provide accurate information to individuals about processing of their data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.