Following the UK's vote to leave the European Union, we consider the potential implications for data protection compliance.
1. GDPR compliance
The new General Data Protection Regulation (GDPR), which introduces significant reforms to the way personal data are collected, used and shared will have direct legal effect across all EU Member States (including the UK) from 25 May 2018. It will replace all existing data protection legislation, including the UK's Data Protection Act 1998.
Following Brexit, the GDPR will cease to have legal effect in the UK and there is uncertainty as to what will replace it. A robust privacy law will be critical to supporting the continued growth of the UK digital economy and access to the European digital marketplace.
In our view, the UK Government are almost certain to implement equivalent legislation, effectively replicating the GDPR into UK law as part of any Brexit transition process. The Information Commissioner's Office (ICO), which acts as the UK data privacy regulator, has already indicated this position.
2. Data transfers
As a result of the UK leaving the EU, the UK will lose its automatic status as a 'safe haven' country, meaning that a new system will need to be put in place to permit the free flow of EU originating data into systems and services operated from here.
Options which would permit this are:
- The UK remains as part of the EEA
- The European Commission makes a decision of adequacy in respect of the UK, or
- The UK negotiates a separate arrangement with the EC to support the lawful transfer of data, akin to the EU-US Privacy Shield.
Alternatively, UK companies could rely on data transfer agreements based on the EU Model Clauses.
The GDPR mandates change to, for example, standard data processor and data sharing provisions. Whilst our view is that the GDPR's requirements represent baseline standards for good data management and should continue to be applied as a standard for effective supplier management, the exact requirements following Brexit are currently unclear.
Updated contracts will need to provide for the flexibility required by the contractual relationship in question: this is likely to include the Data Protection Act, local laws around Europe and the world as applicable, the GDPR and any equivalent legislation applied in the UK.
UK companies which delay taking steps to prepare for the GDPR (or any UK equivalent) risk losing competitive advantage once the new regime comes into force due to the likely constraints that will be imposed on consumer marketing, data analytics and data sharing activity, and related exposure to potential fines given a new and more assertive enforcement model.
1. Data transfers
If there are few practical transfer options available, or the ones which are available are time-consuming or administratively complex, then organisations from outside the EU may decide to move their data from the UK to another EU country.
Failing to reflect GDPR/Brexit in contracts involving processing data over the medium term may risk contracts being non-compliant with the emerging regulatory regime, leaving either party potentially exposed to regulatory sanction or censure.
- Organisations processing data within the UK should still prepare for the GDPR, and should start their planning now if they haven't already done so. Preparation should include:
- Mapping and documenting data flows to be clear about the purposes and legal basis for processing
- Putting in place effective Governance, and
- Implementing training within your organisation.
- Monitor how the mechanics of the Brexit process impact continued processing of EU originating data, and determine which of the listed options may, or should, be used in order to ensure any relevant data transfers are compliant.
- When updating contracts to be GDPR-ready, ensure the approach taken anticipates a different potential legal position across different EU jurisdictions and supports potential changes in the law in the near term.
For a more detailed analysis of the issues, please contact the authors or your usual DLA Piper contact.