10 things you need to know about Brexit and GDPR

What’s happening on Friday 31 January 2020?

From Friday 31 January 2020, European rules and regulations stopped having effect in the UK by virtue of the fact that the UK’s membership in the EU will end. Britain has now entered a transitional period which will last until 31 December 2020.

To prepare for this change, the government passed a flurry of Brexit-related legislation in recent years. The one relating to data protection is the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

How much of an impact will Brexit have on business?

While there is sure to be some level of impact for everyone, the impact of Brexit on each business will depend on the type of business and, most importantly, in which jurisdiction they collect and process data. Due to the Brexit transition period, the impact is unlikely to be immediate.

What is the purpose of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019?

As GDPR will no longer apply directly in the UK, these regulations introduce a single regime for general processing activities known as the UK GDPR. It also replaces references to EU member states, institutions, procedures and decisions that will no longer be directly relevant after Exit.

The law revokes the regulations on the processing of data by EU institutions, as well as EU adequacy decisions on standard contractual clauses. It also removes the obligations on the Information Commissioner’s Office to cooperate with other member states’ supervisory authorities under the Law Enforcement Directive. The Law Enforcement Directive (LED) is a piece of EU legislation parallel to GDPR which also came into effect in May 2018. The LED deals with the processing of personal data by data controllers for law enforcement purposes which fall outside of the scope of GDPR.

What’s the difference between the UK GDPR and the EU GDPR?

In 2020 there will be two GDPRs in effect that apply domestically to the UK in addition to the Data Protection Act 2018, of which an amended version also takes effect 31 January 2020.

The UK GDPR maintains the data protection standards that currently exist under EU GDPR and the Data Protection Act 2018. It introduces a newly merged regime for general processing activities.

The core provisions of GDPR all remain the same under the new domestic UK GDPR, including:

  • The principles relating to the processing of personal data and the lawfulness of processing (Article 5)
  • The rules around the processing of special categories of personal data (Article 9), also known as sensitive personal data such as data on race, political opinions, religious or philosophical beliefs, biometric data, sexual orientation and more
  • The conditions for consent (with the exception of the valid age of consent which has been lowered to 13 years in the UK GDPR from 16 years in the EU GDPR)
  • The rights of the data subject including the right to access, right to be forgotten, right to data portability and the right to rectification etc

Which version of GDPR should we be applying during the transition period?

The Data Protection Act 2018 will no longer rely on the EU GDPR, but on the UK GDPR instead. It will refer to the new domestic GDPR after Brexit. This means that when the transition period ends on 31 December, UK citizens will be protected by a comprehensive data protection regime that is made up of the both the UK GDPR that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018, which supplements the domestic GDPR and extends beyond it as well.

The EU version of GDPR continues to apply to the EU, as well any business anywhere in the world processing the data or targeting EU citizens. This means that if a company based in the UK has customers from the EU, or a website based in the UK has visitors from the EU, it will still have to comply with both the EU GDPR and the UK GDPR.

What are the changes to data enforcement and data supervision?

Data law in the UK will not be supervised or enforced by the European Data Protection Board (EDPB), the main power of supervision and enforcement today. Rather, it will be the ICO that will supervise and enforce the domestic UK GDPR and Data Protection Act 2018 in the UK.

What is the role of the ICO?

GDPR introduced the concept of a one-stop-shop for data protection regulation. In the UK, the ICO is the supervisory authority. If your business engages in cross-border processing, which is the transfer or processing of data across the EU, the one-stop-shop allows you to deal with just one supervisory authority, rather than 28. For example, if your business is primarily based in the UK but processes data across EU borders, you could appoint the ICO as your lead supervisory authority and deal with them. Similarly, if you’re based in France but also deal with UK data, the French authority can be your lead authority.

What do you do if your organisation does cross-border processing?

If your organisation does cross-border processing, it is likely you will need to appoint another supervisory authority in the EU. This will be in addition to the ICO, because although both the UK GDPR and the EU GDPR currently still applies in the UK. This will change at the end of 2020 and you’ll need to have the ICO as your authority for processing UK data and another EU supervisory authority for processing EU data.

Similarly, if you deal with any UK data but haven’t been in touch with the ICO till now, it is recommended you do so. While businesses have until the end of 2020 to prepare for post-Brexit data protection laws, it is worth taking the time to get prepared now.

What about appointing a representative?

Until now, non-European countries that deal with EU data had to appoint a representative somewhere in the Union to act as the point of contact for their EU customers and to deal with the supervisory authority. Now that the UK is leaving the EU, UK-based organisations will have to do the same. Further, companies that are based outside the UK but collect data from the UK will have to appoint a UK representative.

This UK representative is who you would notify if there has been a data breach. This is important when dealing with the data of countries from other citizens and the extraterritorial nature of GDPR. UK companies processing or targeting EU citizens are obligated to notify the supervisory authority of breaches of personal data under GDPR.

What should you do now?

  • Establish your organisation’s exposure to GDPR
  • Organisations that only process the data of people in the UK need to comply with UK GDPR and the Data Protection Act 2018
  • Organisations that process the data of people in the EU need to comply with EU GDPR
  • Don’t panic – No immediate changes to the law on Friday

VinciWorks’ GDPR compliance resources

GDPR training screenshot
GDPR: Privacy at Work begins with a course builder to instantly customise the course according to the user’s role in the organisation

GDPR training is one of the key measures a company can take to ensure that staff comply with the regulations. To help organisations maintain GDPR compliance, VinciWorks regularly updates its GDPR training suite. From an in-depth modular course to refresher training and short five-minute knowledge checks, our GDPR training suite allows organisations to train their entire staff on GDPR. This includes both general staff and staff who require specialised training, such as HR, IT, marketing and more. Further, VinciWorks has added training catered to businesses with US-based staff.

We have also created a GDPR resource page that contains guides, on-demand webinars and policy templates to help organisations maintain GDPR compliance.