The GDPR is a law of the European Union and applies to the personal data of the citizens of the member countries of the EU. As of 11pm on 31st December 2020 the United Kingdom will complete the transition period and cease to be a member of the EU, as a result of Brexit. So what does this mean for organisations in the EU, the UK and elsewhere that need to comply with relevant data protection law?
The first thing to say is that the GDPR is still very much alive and must still be complied with by all organisations that process the personal data of EU citizens, wherever they are based. The second point is that the situation is still evolving, and political changes may be made, sometimes at short notice, that affect what needs to be done to stay compliant with data protection law. We will try to present a simplified picture of how Brexit affects organisations needing to comply with the GDPR, but the reality is that the situation may be more complicated than we can easily explain, and it may change, so our frequent recommendation about the value of legal advice applies more strongly than ever.
The general guidance depends mainly on where your organisation is based, and the personal data it processes.
If you are an organisation based in the EU, and you’re processing the personal data of EU citizens only, then largely nothing changes. The GDPR still applies; the main aspect you may need to review is in the situation where you transfer personal data to the UK, perhaps for processing. If this will continue then you need to look at the basis that covers the transfer. Currently the UK is still in transition, so it isn’t a problem. After Brexit however, a number of situations may arise. The simplest of these is that the EU grants an adequacy decision in favour of the UK which means that it considers UK data protection law to be “good enough”, and transfers can continue. If this doesn’t happen, then appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be appropriate, or you may be able to apply an exception to the transfer. Each of these options will need to be looked at, with their relevant pros and cons.
If your organisation not only processes the personal data of EU citizens, but also of UK citizens, then you will need to comply not only with the GDPR, but also with UK data protection laws. The main one of these is what is termed “UK GDPR” which, as the name suggests, is (deliberately) very heavily based on the EU GDPR. You may need to appoint a representative in the UK who will act for you in interfacing with the UK Information Commissioner’s Office (ICO) which wasn’t needed previously.
If you are an organisation based in the UK, and you’re processing the personal data of UK citizens only, then you will no longer need to comply with the GDPR. However, you will need to comply with both the UK GDPR and the UK Data Protection Act so in effect nothing much changes in terms of the controls you need in place. If you transfer the personal data of UK citizens outside the UK, including to the EU, then you will need to look at the basis used for the transfer. The good news is that the UK trusts the EU data protection regime, so transfers to the EU are covered by a UK adequacy decision.
If you do process the personal data of EU citizens, then the EU GDPR will continue to apply to you, and you may need to nominate a representative within the EU. In this case, you will also need to look at any transfers of EU personal data you perform to the UK and, if there is no EU adequacy decision in favour of the UK, how these will be adequately covered (again, the main choices are SCCs, BCRs or an exception).
If your organisation is neither in the EU or the UK then the main change will be that you will need to start to consider the two as separate entities, potentially appointing representatives in both (assuming you process the personal data of both UK and EU citizens). If you don’t operate in the UK, then there will be little change, unless you transfer EU data to a processor in the UK perhaps (in which case you may need to cover that transfer with appropriate safeguards, such as SCCs, or an exception). Similarly, if your organisation targets customers only in the UK then you will need to keep track of any divergence between UK and EU data protection law as time goes by (initially they may be considered to be the same).
In most cases, the changes for Brexit are not big and the fundamentals will stay the same. What your organisation needs to do will depend on where it is based, where its customers are and where it transfers personal data to and from. CertiKit published a Post-Brexit version of our GDPR Toolkit early in early 2021 and a new UK Data Protection Toolkit for those organisations that only need to comply to the UK law.