Before the implementation of Brexit, the UK is part of an EEA-wide free data flow area which is underpinned by the GDPR. Post-Brexit, if the UK leaves the EU without a deal addressing similar issues, they will be left with personal data border between the EU and the UK.
Discussions of Brexit majorly centers on the cross border trading. The British industrialists question the need to have a hard border. A hard Brexit isn’t only about the tangible border issues. Britain is primarily a service economy particularly reliant on the free flow of intangible items between the UK and Europe. Many businesses rely on data centers outside the UK, outsourcing data processing offshore, or sharing personal data with affiliated offshore organizations. Many firms have online businesses where they receive personal data from offshore, e.g.centers that have customers in the EU. The rules applying to cross-border flow of personal data between the UK and the EEA are enshrined in the General Data Protection Regulation.
After leaving the EU, a UK-specific version of the GDPR will apply. Outside the UK border, the GDPR will continue to apply as it currently is in use for the remaining EU states. If the UK left without a deal, some consequences would ensue. The immediate result of which would be that the UK will become a “third country” in the eyes of the EU. Also, the UK data protection law (the UK GDPR) will no longer be considered “adequate” by the EU in the short term. If EU-based organizations wish to transfer personal data to the UK or import such data, they are likely to rely on another legal mechanism to enable such flows to continue smoothly.
This would typically shape an EU-approved transborder data agreement considered as a “standard contractual clauses.” Permission to export personal data to the EU will be granted by the UK GDPR. However, if exported for processing in an EU state, there may be issues in sending back the data if the UK becomes a “third country.”
Another potential implication would exist if firms sell goods and services to nationals in EU states online, they will need to comply with the UK GDPR as well as the EU GDPR. If however, the firms operating in the UK and are not concerned with transborder data flows face no such implication. Advising businesses what to do about Brexit is a difficult task. Moreover, firms are now unclear about the GDPR changes considering it as a, particularly complex area.
Most existing businesses have already spent much effort and time to comply with the GDPR. Now, there’s exists a significant risk of additional complexity for maintaining free movement of data. The UK’s Information Commissioner (ICO) is aware of these issues and has been providing more resources online to assist businesses.
Their latest concern is that if the UK leaves the EU without a deal, most of the data protection rules affecting medium and small-sized businesses and organizations will stay the same. The UK businesses or organization that already comply with the GDPR with no contacts or customers in the EEA need not do much more to prepare for data protection compliance post Brexit. The UK business or organization that receive personal data from contacts in the EEA need to take extra steps to ensure smooth data flow after Brexit. These additional steps include cross-border data transfer agreements (SCCs) in the approved form.
The UK business or organization with an office, branch, presence, or customers in the EEA need to comply with both EU and UK data protection regulations post Brexit. Such firms need to designate a representative in the EEA. Businesses must plan for a no-deal scenario considering the current political uncertainty.
Firms need to start with mapping the data flow between the businesses and the EU. The impact of a no-deal Brexit should be examined based on this. While there may be some work required to enable firms to continue receiving data from the EU, these steps are relatively modest compared to those needed to ensure free trade in goods after a no-deal Brexit.