Blog How Does Brexit Affect the GDPR?

EU-based organisations

If you are an organisation based in the EU, and you’re processing the personal data of EU citizens only, then largely nothing changes. The GDPR still applies; the main aspect you may need to review is in the situation where you transfer personal data to the UK, perhaps for processing. If this will continue then you need to look at the basis that covers the transfer. Currently the UK is still in transition, so it isn’t a problem. After Brexit however, a number of situations may arise. The simplest of these is that the EU grants an adequacy decision in favour of the UK which means that it considers UK data protection law to be “good enough”, and transfers can continue. If this doesn’t happen, then appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be appropriate, or you may be able to apply an exception to the transfer. Each of these options will need to be looked at, with their relevant pros and cons.

If your organisation not only processes the personal data of EU citizens, but also of UK citizens, then you will need to comply not only with the GDPR, but also with UK data protection laws. The main one of these is what is termed “UK GDPR” which, as the name suggests, is (deliberately) very heavily based on the EU GDPR. You may need to appoint a representative in the UK who will act for you in interfacing with the UK Information Commissioner’s Office (ICO) which wasn’t needed previously.

UK-based organisations

If you are an organisation based in the UK, and you’re processing the personal data of UK citizens only, then you will no longer need to comply with the GDPR. However, you will need to comply with both the UK GDPR and the UK Data Protection Act so in effect nothing much changes in terms of the controls you need in place. If you transfer the personal data of UK citizens outside the UK, including to the EU, then you will need to look at the basis used for the transfer. The good news is that the UK trusts the EU data protection regime, so transfers to the EU are covered by a UK adequacy decision.

If you do process the personal data of EU citizens, then the EU GDPR will continue to apply to you, and you may need to nominate a representative within the EU. In this case, you will also need to look at any transfers of EU personal data you perform to the UK and, if there is no EU adequacy decision in favour of the UK, how these will be adequately covered (again, the main choices are SCCs, BCRs or an exception).

Organisations based outside the EU and UK

If your organisation is neither in the EU or the UK then the main change will be that you will need to start to consider the two as separate entities, potentially appointing representatives in both (assuming you process the personal data of both UK and EU citizens). If you don’t operate in the UK, then there will be little change, unless you transfer EU data to a processor in the UK perhaps (in which case you may need to cover that transfer with appropriate safeguards, such as SCCs, or an exception). Similarly, if your organisation targets customers only in the UK then you will need to keep track of any divergence between UK and EU data protection law as time goes by (initially they may be considered to be the same).

In summary

In most cases, the changes for Brexit are not big and the fundamentals will stay the same. What your organisation needs to do will depend on where it is based, where its customers are and where it transfers personal data to and from. CertiKit published a Post-Brexit version of our GDPR Toolkit early in early 2021 and a new UK Data Protection Toolkit for those organisations that only need to comply to the UK law.