Author: Eddie Powell
Eddie Powell, Partner, Fladgate LLP (firstname.lastname@example.org)
In amongst all the uncertainties of Brexit, the good (or bad, depending on your outlook) news is that GDPR will definitely still apply in UK, as part of our domestic law, for the foreseeable future, whatever happens.
So Brexit should make very little difference to the way that your business handles data protection compliance, and the financial penalties for non-compliance remain.
One area that Brexit will impact businesses is in relation to transfers of personal data between the UK and EU. This can arise where, for example, a German business has an office or subsidiary in the UK and information about UK staff is managed in Germany as part of a centralised HR function. Or it could arise in the context of a CRM database which is shared between a UK office and its Continental counterparts. The issue would also arise in the context of a UK company delivering services to an EU customer where the services involve handling personal data.
The GDPR regulates transfers of personal data from EU countries to ‘third countries’; this is generally prohibited unless either the country’s laws have been approved as providing ‘adequate’ protection for individuals or other steps are taken, notably using standard form contracts, which effectively means that EU data subjects would have the similar rights in relation to their personal data in that ‘third country’.
If the Government’s withdrawal deal is ratified, then during the transition period there will be no change to the position, and transfers of personal data from the EU to the UK will be unaffected.
But if there is a ‘no-deal Brexit’ then on 29 March, the UK will become a ‘third country’ and:
In the long run, the EU has committed, as part of the proposed withdrawal deal, to making an ‘adequacy’ decision before 2020. Even if there is a ‘no deal’ situation it is likely that such a decision would be (eventually) made, assuming the UK law remain as per the GDPR. The UK has given a commitment in the political declaration section of the withdrawal deal, to ‘essentially equivalent’ protection
 European Commission Notice to Stakeholders “Withdrawal Of The United Kingdom From The Union And EU Rules In The Field Of Data Protection” 9 January 2018
 DCMS Guidance “Data protection if there’s no Brexit deal” 13 September 2018
For legal updates and news, please visit Fladgate’s Brexit briefings blog