The UK has now left the EU, and a few things have to change. In this article we’ll be looking at how GDPR and Brexit changes will affect you, whether you need an EU representative, what is adequacy status (this one is important) and how you can ensure you don’t fall foul of the GDPR and Brexit conundrum.
Changes to data protection: GDPR after Brexit
Just to put your mind at ease right from the start, many of the relevant laws and regulations are derived from EU law and will be incorporated into UK law and so wide-ranging changes to data protection after Brexit are very unlikely.
Now that the transition period is over, it has been announced by the government that an agreement is in place with the EU that will allow personal data to flow freely from the EU (and EEA) to the UK, (at the time of writing this runs until June 2021) until adequacy decisions have been made.
There is a little more to it though.
These small changes can have huge ramifications, as we will see later in the section on GDPR fines. It’s not just large companies who are being hit with fines.
EU Representation is not in any doubt, you need it, what is still up in the air are the specifics of the landscape after this agreement expires. The ICO is recommending that alternative transfer mechanisms are put into place, with many organisations already preparing SCC’s.
You can learn more about important changes relevant to you and your company, from our recent webinar GDPR after Brexit.
(Don’t worry if you missed the live version, we’ve got the recording for you to download here).
Whilst many aspects of post Brexit data protection will remain the same, there are issues that you will need to account for, for example, the different situations in which you would require an EU representative, (skip ahead to the FAQ’s if you’re especially eager to find this out).
The first ‘Brexit changes’ with regards to data protection were brought in almost 2 years ago, during the grace period (the time period the UK had to make arrangements to leave the EU) the UK passed the Data Protection Act 2018 (DPA 2018) which goes some way to ensuring the UK achieves adequacy status.
Which leads us onto…
UK adequacy decision post Brexit
According to government guidance, it was thought to be extremely likely that the UK would have achieved adequacy status by the time the UK transition period finished at the end of 2020, and thus UK based businesses would be able to continue to handle data with no issues (Source).
It will be the European commission who make the UK decision on whether to grant the UK adequacy status or not.
What is the adequacy status?
Adequacy status is simply proving to the EU that data is processed safely, to at least the same standard as that stipulated by GDPR.
This is exactly what the UK has to do.
GDPR post Brexit & transition period
The transition period has finished, so data is no longer able to flow freely between the EU & the UK as it could before.
But speaking of the transition period and the ability to handle data post Brexit, we need to mention EU representatives.
You didn’t need an EU representative during the transition period. Now the transition period is over however, you do need to appoint an EU rep.
As stated in the official government guidance, there will be no immediate changes to the UK’s data protection standards (Source). At such time we can expect to find out for certain about the UK data protection adequacy decision.
However, you will need an EU representative now that the transition period is over if you store data or do business with anyone in the EU.
We’ve already mentioned that Brexit has changed how you store data, this topic can get a little wordy and complicated…
You’ll most likely have to switch from any UK based cloud storing service. Although there can be mitigating circumstances as to why you might not have to do this (such as contractual clauses or migration).
We’ve got a really useful webinar on the topic where you will learn about important changes to data storage, changing laws relevant to you and more, in order to help you navigate the landmines that fill the ever-changing landscape of data protection.
Presented by two industry experts, the webinar makes this complex topic easier to digest, you can check it out here: GDPR after Brexit.
International data transfer penalties
GDPR fines take into account a multitude of factors when determining whether or not a breach has been made. This information is then used to determine the severity of the fine.
Lower level fines can be as high as €10 million, or 2% of the companies worldwide annual revenue of the prior financial year, whichever is higher.
Upper-level fines can be up to €20 million, or 4% of the worldwide annual revenue, again, whichever is higher. Below are just a few examples of the enormous data protection violation fines from 2019.
GDPR fines: Causes & Amounts
As we can see here, failure to comply with GDPR has led to enormous fines.
This is purely to demonstrate that failure to comply with data protection laws does not go unpunished. Fines are severe in some cases, so much so that it can threaten not only the reputation of an organisation but their very existence.
It is not only huge enterprises are being hit with fines. Now, UK businesses must comply with local data protection laws, European data protection institutions such as the Spanish AEPD.
Fines to small(er) businesses are far more aggressive. Don’t think that because you’re not a behemoth, you’ll be exempt from data protection fines, or treated more leniently.
If you’re worried about being hit with a fine just as these companies have, you can take our GDPR risk assessment and it will identify threats and provide solutions that make ensuring you are GDPR compliant, easy.
You can get much more specific information regarding GDPR breaches, fines, what factors are taken into account as well as who administers the GDPR fines in our webinar GDPR after Brexit.
How to stay compliant with GDPR after Brexit
As we’ve already discussed, GDPR is European legislation, and as such, means that now the transition period is over, the UK will no longer be under any obligation to abide by GDPR.
So, does that mean you don’t have to be GDPR compliant after Brexit?
Yes and no.
As you’ll see in the FAQ section below, the UK intends to incorporate GDPR into UK law. As such, UK companies will have to be compliant with GDPR, albeit a slightly different version. Because GDPR will be working in conjunction with the DPA 2018, the UK’s existing data protection law.
Upon leaving the EU, the UK has third country status. This is the reason the UK will need to achieve the adequacy status we spoke about before.
Should a UK based company do business with any company or customer in the EEA, both parties must adhere to GDPR, regardless of the fact the former is based outside the EEA. So, long story short, you should be taking steps to ensure you’re GDPR compliant.
If you’re interested in how you can stay GDPR compliant be sure to take a look at International Data Transfers, our GDPR software that helps you avoid being hit with huge fines, whether they’re caused by a small oversight or a monumental mishandling of data, don’t take the risk!
GDPR and Brexit impact: How will Brexit affect GDPR?
Incorporating GDPR into existing UK data protection law means there will be a UK GDPR after Brexit. This is because the UK must prove that it can safely process data to at least the same rigorous standard as stipulated in GDPR.
Whilst there will be minimal changes, Brexit impact on data protection is clearly something you need to prepare for, the severity of fines you could be hit with means you have to be ready, even for these small changes.
We have already seen the first instance of Brexit impact on GDPR in the creation of the DPA 2018 we mentioned earlier.
Until the end of the transition period (the end of 2020), there were no changes to data protection.
- Automatic generator
- Ensure you’re always GDPR compliant
- Dynamic privacy policies
- Extremely helpful whether you’re new to data protection or a veteran.
- Why? If you’re a newcomer, there is information that will be invaluable to you, if you’re more experienced, it’s a huge time saver and can help just in case you’ve overlooked some new legislation.
The ICO itself admits that it does not yet know exactly ‘what the data protection landscape will look like’. So overlooking some information is not beyond the realms of possibility.
You’ve undoubtedly got some concerns related to data protection, GDPR and Brexit. In order to help alleviate these concerns, you can consult the FAQ section for some quick answers.
UK GDPR is now in effect, and sits alongside the DPA 2018. It’s very early days and there will undoubtedly be more changes coming, so be sure to keep an eye out for useful information!
Brexit and GDPR FAQ
As it’s a European regulation, GDPR would not apply to the UK, however, they would apply should you do business with any individual or organisation in the EEA.
Nothing, for now. Until the end of 2020, there is a transition period, so that all the details can be ironed out. So if you’re compliant with GDPR, then great news for you, you still are! (Until next year). As we said in the previous point, if the UK government does indeed incorporate GDPR into UK data protection laws, then there would be little to no change.
This totally depends on negotiations that are yet to take place. However, the default would be that GDPR would simply be brought in as UK GDPR.
Yes, you will need to appoint a European Economic Area representative if you are selling to individuals in the EEA or if you’re monitoring the behaviour of individuals in the EEA. For information related to appointing a representative in the EU & NIS, scroll down to point 9.
The Data Protection Act 2018 (DPA 2018) will continue to apply, GDPR will then be incorporated into this so that UK companies can continue to operate in the EU, the law will likely be known as UK GDPR.
Yes, data transfers from the UK to the EEA will not be restricted. However, GDPR rules will apply to data coming from the EEA to the UK.
The same rules still apply as set out in the DPA 2018 and will only bring in some minor changes to reflect the UK being outside the EU. When this transition period ends, transfers of data from the EU to the UK will have to abide by transfer regulations in the sender’s country.
Yes, PECR in the UK is derived from EU law, it’s set out in UK law and so will not need to change post-Brexit.
Yes, NIS is derived from EU law and set out in UK law and will, therefore, continue to apply. If you’re a digital service provider based in the UK you will need to appoint a representative in one of the EU member states in which you operate.
Yes and no, as an EU regulation won’t apply to the UK after Brexit. However, the eIDAS regulation, much like GDPR, will be incorporated into UK law. This means you should be planning to act as if eIDAS is still in effect which in essence, it will be.
Yes. As a UK law, nothing will change when the UK leaves the EU.
Yes, the environmental information regulations are part of EU law and are set out in UK law.
If you’ve got any questions related to GDPR and Brexit, feel free to contact us.