Even though the UK has now implemented the General Data Protection Regulation (GDPR), it’ll need to agree new arrangements with the EU post-Brexit.
Last August, before the regulation came into force, the government published a ‘future partnership paper’, covering the exchange and protection of personal data between the UK and the EU, post-Brexit.
The paper confirmed that the UK would implement the EU’s new data protection framework into UK domestic law which, as we’re all aware, it’s now done. But even though the UK’s data protection laws are now in line with the EU’s, it’ll still need to agree new arrangements governing the flow of data between it and EU countries.
The UK will need to reach this type of agreement with the EU before Brexit happens, to make sure that the rules for exchanging and protecting personal data are clear – offering vital stability for businesses, public authorities and individuals. A formal agreement would also allow the UK regulator (the Information Commissioners Office) to maintain effective regulatory compliance with other EU information regulators.
But the current political uncertainty – and the talk of a ‘no deal’ Brexit being a very real possibility – threatens the likelihood of this type of agreement being made. If the UK leaves the EU without any formal withdrawal agreement, the free flow of data between it and the EU could be suspended. If this happens, the consequences for businesses – as well as individuals – could be significant, particularly if they haven’t prepared properly in advance.
Businesses of all sizes need to prepare carefully and thoughtfully for this possibility. It’s a good idea to start putting contingency plans in place now, to make sure you can continue to exchange data with the EU even in the absence of any overarching agreement. By doing this, you’ll be able to minimise the risk of disruption to your day-to-day business activities – as well as your bottom line.
One way to safeguard against this is for you and your data receivers to enter into certain types of contracts that incorporate the standard data protection clauses that the EU Commission has adopted, which will remain valid and in force until amended, replaced or repealed in accordance with Article 46(5) of the GDPR. There are essentially three different Commission-approved types of standard contractual clauses covering (1) controller-to-processor transfers; (2) controller-to-controller transfers and (3) processor-to-processor transfers.
The key issue is to identify which category your data transfer falls into and to consider utilising the relevant contractual clauses in any final service-level agreement. One final point is that it is not yet clear as to whether the Commission intends to adopt new standard data protection clauses that reflect the GDPR’s more restrictive framework – but this is likely, so watch this space!
Time’s running out, with the UK due to leave next March. Contingency plans require careful thought and can take time to put in place. The GDPR doesn’t solve the issue of exchanging data with the EU, so you need to start thinking now about how you’ll continue to operate in the event of a no-deal Brexit.
Richard Thomas is a partner at Capital Law
©2018 funds europe