One of the implications of Brexit that no one is talking about is the impact it will have on a business’ ability to transfer data to and from EU countries.
Supply chains, employment contracts and travel restrictions are all regularly raised as areas of serious concern for businesses. But despite the media interest in GDPR last year, many forget that because it is a law governing the treatment of data of citizens of an international community that the UK is no longer a part of, the legal framework in which UK businesses are operating will change. And this extends to data protection.
Adherence to GDPR or the UK enactment, the Data Protection Act 2018, is not universal across UK businesses. And Supervisory Authorities are openly gearing up to enforce Articles 44-50 post-Brexit as they know it has caught many companies unawares and EU personal data will be left vulnerable as a result.
As soon as Brexit is enacted, the UK becomes a “Third Country” – the EU terminology for a non-EU state, but one that often has a close working relationship with the EU. This means the UK sits outside the legal framework of the EU, and therefore of GDPR.
Because of this external status, the UK is no longer automatically deemed a suitable territory for EU personal data to be processed or transferred to -unless suitable provisions are made by individual businesses (more on these later), and/or Adequacy is granted by the EU.
“Adequacy” is a formal recognition that the country’s data privacy regime (the laws that govern the way in which personal data is treated within the country by the state and businesses and individuals within it) is suitable for EU personal data to be transferred to it, and offers at least similar protections to the regime that the EU member states are bound by. The process of securing Adequacy has historically taken as little as 18 months or as much as five years.
Basically, it all comes down to timing. If there is a deal, then there is a transitional period of approximately two years during which all status quos – including the UK’s suitability for EU personal data transfers – remain. This time period should allow enough time for the UK and the EU to negotiate adequacy.
Without a deal however, the UK is a third country without data adequacy and no surviving status quo. Overnight, it becomes an illegitimate territory for EU personal data.
The onus is on the UK business to make up the shortfall in the legal protection. There are a series of measures, some of which are part of standard GDPR adherence some that are supplementary, that UK businesses will have to revisit. – just as their North American and other international peers had to do in advance of May 2018 if they wished to continue trading with the EU.
These requirements are complicated and far from tick box exercises. The contractual ramifications can be far-reaching. To help UK businesses better understand what they consist of, and how to start addressing them, we’ve put together an infographic that sets out the UK’s changing relationship with the EU and the impact it has on businesses’ interactions with data.