Brexit and Data Protection

6 December 2018

General position

In amongst all the uncertainties of Brexit, the good (or bad, depending on your outlook) news is that GDPR will definitely still apply in UK, as part of our domestic law, for the foreseeable future, whatever happens.

So Brexit should make very little difference to the way that your business handles data protection compliance, and the financial penalties for non-compliance remain.

Transfers of personal data between UK and EU

One area that Brexit will impact businesses is in relation to transfers of personal data between the UK and EU. This can arise where, for example, a German business has an office or subsidiary in the UK and information about UK staff is managed in Germany as part of a centralised HR function. Or it could arise in the context of a CRM database which is shared between a UK office and its Continental counterparts. The issue would also arise in the context of a UK company delivering services to an EU customer where the services involve handling personal data.

The GDPR regulates transfers of personal data from EU countries to ‘third countries’; this is generally prohibited unless either the country’s laws have been approved as providing ‘adequate’ protection for individuals or other steps are taken, notably using standard form contracts, which effectively means that EU data subjects would have the similar rights in relation to their personal data in that ‘third country’.

If the Government’s withdrawal deal is ratified, then during the transition period there will be no change to the position, and transfers of personal data from the EU to the UK will be unaffected.

But if there is a ‘no-deal Brexit’ then on 29 March, the UK will become a ‘third country’ and:

  • The EU Commission has said it will not automatically grant the UK ‘adequate’ status, so every EU data controller will have to put standard form contracts in place if a UK business is to receive or have access to personal data[1].
  • The UK has said that it would not insist on compliance steps for transfers of personal data going the other way, out of the UK to the EU[2].

In the long run, the EU has committed, as part of the proposed withdrawal deal, to making an ‘adequacy’ decision before 2020. Even if there is a ‘no deal’ situation it is likely that such a decision would be (eventually) made, assuming the UK law remain as per the GDPR. The UK has given a commitment in the political declaration section of the withdrawal deal, to ‘essentially equivalent’ protection

Action points

  • If you have not already got yourself fully compliant with GDPR, then there’s no point waiting; the law is unlikely to change and your risk of sanctions will only increase. Fladgate can help with this, so please contact us.
  • If you have offices, agents or providers in the EU, it is worth checking whether a ‘no-deal’ scenario would trigger an obligation on one of the parties to have contract terms in place in relation to any EU to UK data transfer, so that if that does happen, you can get the ball rolling in good time before 29 March.

[1] European Commission Notice to Stakeholders “Withdrawal Of The United Kingdom From The Union And EU Rules In The Field Of Data Protection” 9 January 2018

[2] DCMS Guidance “Data protection if there’s no Brexit deal” 13 September 2018


Eddie Powell Author
Eddie Powell
About the author