After many twists and turns, the UK has finally left the European Union (EU). A new transition period has begun in which the UK has until the end of December 2020 to negotiate a new relationship with the EU. This will no doubt impact data protection laws but, until then, it’s business as usual.
The Prime Minister Boris Johnson has said that the UK will eventually pursue an independent data protection policy. But what has been clear from the outset of the Brexit announcements is that the policy will remain aligned with the General Data Protection Regulation (GDPR) – legislation which as we know has been the biggest, albeit much-needed, shake-up to data privacy in 20 years.
So where do organisations stand with the GDPR now? In simple terms, we have now reverted back to the 2018 Data Protection Act (DPA) which enacts the principles of the GDPR into UK law and issues an additional statutory instrument to cover the transition period. This essentially means that UK organisations that process personal data are currently bound by both the GDPR and the DPA.
With regards to data transfers, the UK has moved from an EU member state into a ‘third country’ designation but the reality is that this won’t make any material difference to organisations until the end of the transition period this year. After that period, if the UK is not recognised by the EU Commission as being ‘adequate’, then all transfers with the EU will require additional safeguards or companies to meet approved codes of conduct such as the EU-US Privacy Shield.
The EU’s decision to determine the UK as ‘adequate’ will depend on the UK’s ability to demonstrate that it is processing data in a safe way. So, although the UK has been operating under the rules of the GDPR, it will not be automatically afforded this status. The differences between the DPA and the GDPR are minor but they may be enough to prevent the EU from granting adequacy status.
Organisations therefore need to prepare for the worse case scenario, which is that the UK will end the transition period with a ‘third country status’. However, according to the government, the transfer of personal data from the UK to EU member states will remain unaffected.
Organisations transferring personal data from the EU to the UK, on the other hand, will need to prepare for a no deal future with Standard Contractual Clauses (SCCs) which are EU-approved data protection clauses for safeguarding data across international borders.
Brexit, as we know, is highly politicised and one could argue that the EU may seek to ensure the world (and particularly countries in the EU) see that the UK feels the pain of exiting. My advice to UK businesses that need to process EU subject data is to read up on the derogations for third countries and start bringing in the SCCs now. The Information Commissioner’s Office (ICO) has templates available – although these are best suited to small and medium-sized businesses rather than larger organisations or multi-national companies which may find the ICO’s other guidance more helpful.
The bottom line is that, for those thinking that the heat is off outside of the GDPR, think again. The ICO still has the power to punish organisations that don’t take data privacy seriously. We have already seen it demonstrate its powers through enforcement. In fact, it still holds the number two spot for handing out the largest GDPR fine – a whopping £183.39 million to British Airways after approximately 500,000 customers were compromised as a result of a data breach in 2018.
The UK also sits in the top three for data breach notifications to regulators, meaning that UK citizens are exercising their powers to report lax companies. Simply put, then, organisations must not get complacent about data protection in a post-Brexit world. There is no doubt it will be the organisations already compliant with the GDPR that will be best prepared for what’s to come.