For the past year or so, two acronyms have evoked a range of emotions in people in the United Kingdom and across the EU whether this be excitement, fear, intrigue or dislike: (1) GDPR; and (2) Brexit.  And now, with Brexit day looming there is increased focus on just how these two acronyms will work together post-Brexit.

As the recent £44 million fine imposed on Google has shown, compliance with the GDPR should be taken seriously and this will continue to be the case post-Brexit.

There is still a lot of uncertainty surrounding Brexit.  On the 29th January Parliament endorsed the view that Theresa May’s government should look to renegotiate the backstop arrangements - but the EU have indicated they have no desire to re-open negotiations on the backstop or any of the rest of the Withdrawal Agreement.  Parliament also voted (albeit informally) to rule out a No-Deal Brexit - although in the absence of any legal alternative there remains a risk that we will have a No-Deal Brexit (perhaps by accident rather than design).

With a No-Deal Brexit an increasing possibility, it is important for companies to consider whether their data protection practices, data flows and data transfer agreements may be affected by Brexit and make preparations for a No-Deal Brexit scenario.

Should a No-Deal Brexit happen the UK will become a “third country” on Brexit day.  A “third country” under the GDPR is a country outside the EU whose data protection laws have been not been deemed “adequate” by the EU.  While there is confidence that the UK will be deemed adequate by the EU in the fullness of time, the process for determining adequacy is complex and lengthy.  Therefore, companies should not hold off taking action in hope of a speedy adequacy decision!   The UK is set to transpose a compatible form of the GDPR into UK law on Brexit day making it domestic law (commonly referred to as the “UK GDPR”) although this will not address all compliance risks.

One of the biggest concerns relating to the “third county” status of the UK is around transferring personal data.  In summary, if you transfer or share personal data from a country in the EU into the UK, you will require to reassess your data sharing practices and put in place a contractual mechanism whereby personal data can continue to be shared in compliance with the GDPR.  This will often arise in a situation where different companies within the same group may wish to share personal data within the group – so called intra-group agreements.

In the absence of any imminent adequacy decision, the GDPR allows personal data to be transferred to a third country (the UK post-Brexit) if the EU company has entered into the Standard Model Clauses (as approved by the EU) with the receiving company, or if the EU company has binding corporate rules in place (as approved by the EU).  A company may also try to seek to rely on an Article 49 derogation to transfer the personal data - but such derogations are limited in application and should only be used for one-off transfers, and are not intended to legitimise regular transfers of data.

The method that is likely to be widely adopted is entering into Standard Model Clauses.  These can be entered into fairly quickly, the terms are not open for negotiation between the parties and they can sit alongside an existing contract without necessarily having to re-negotiate the commercial terms of the contract.

For data transfers from the UK to a country in the EU or a country which already has deemed adequacy, the Information Commissioner’s Office has confirmed that data will continue to flow freely without restriction – however, this may change in the future.  For data transfers from the UK to the rest of the world (not in the EU or not a country with deemed adequacy), it is expected that the situation will be the same as it currently is under the GDPR - i.e. additional measures will have to be put in place before transferring the data and such measures will be defined under the UK GDPR.

As with many (if not all) areas of the law which Brexit will touch, we have not been given all of the answers yet. However what is clear is that the post-Brexit data protection landscape will be different and companies need to start reviewing their practices and identifying where positive pre-Brexit actions can be taken to ensure ongoing compliance.