Deal or no deal? No, this is not a reference to the popular Noel Edmonds gameshow and there are no winners.
In the event of a ‘no-deal’ Brexit, with no agreed arrangements covering data protection, the Government is advising organisations to prepare appropriate contracts to ensure any transfer of European Union citizens’ personal data to the UK is compliant with privacy laws.
No one knows for certain what will happen with Brexit. What is clear though is that businesses need to start thinking hard about whether they are prepared for whatever happens. Are they asking the right questions to ensure they’re ready and comply with the GDPR?
The government has always said that after Brexit, The GDPR will be absorbed into UK law.
There is still uncertainty about whether the UK would leave the EU on a no-deal basis, but the new PM Boris Johnson has vowed to do so unless a deal can be reached next month.
The French data protection regulator, however, has said that in the event of a no-deal Brexit it will treat the UK like any other country that is outside the European Economic Area – basically treat the UK as a “third country.”
Other EU country regulators may very well take this view too, which will have legal implications for organizations.
The ‘third country’ status means countries in this category will need to show their data protection laws are robust if they are to secure an adequacy agreement, needed to ensure the smooth flow of data to and from the EU.
The UK was due to become a ‘third country’ on 00.00am on 30 March 2019, however, the departure date was then postponed until 12 April, and then again until 31 October.
If the UK does leave the EU without a deal at the end of next month then it will have consequences for GDPR, and resellers need to be aware of the issues.
The transfer of personal data from organisations within the EU to other organisations in the UK will be subject to strict data transfer rules, as set out by the GDPR. EU organisations will have to ensure their transfers to UK are lawful and that’s not going to be as simple as it is now.
Personal data is defined by the EU as any information relating to an identified or identifiable person. This broad definition covers the usual areas like name, address and bank or health records and can also include other information such as photographs and car registrations.
The biggest challenge for dealing with GDPR will be if the UK leaves without a deal. The UK has said it would permit data to flow from the UK to countries in the European Economic Area (EEA), however, it has no control over the flow of data from the EEA to the UK.
A negotiated agreement is now seen as the only way to ensure the UK can secure EU approval for the transfer of data towards the UK. However, there is no guarantee a deal would include this provision.
GDPR and the customer
The GDPR was introduced in May last year, which standardised European Union data protection rules across all member states.
But now the UK is about to leave the EU, we will no longer be subject to legislation passed in Brussels.
Once the UK leaves the EU, the GDPR will continue to apply. It will be incorporated into UK domestic law as part of the European Union (Withdrawal) Agreement and will continue to function alongside the Data Protection Act 2018.
The UK government has said it will seek an adequacy agreement with the EU. However, the process for this can only start once the UK leaves the EU.
Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law.
When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required.
Data adequacy can also be awarded to specified sectors of an economy or international organisation.
To help navigate this complex issue of GDPR and Brexit, we will be offering a webinar soon, which will cover all the areas that need to be addressed to make sure you and your business are compliant in the event of a no-deal Brexit.
Please keep an eye on our website and social media for further information.