Generally, all the requirements of GDPR have been enshrined in UK law in the Data Protection Act (2018) and so these are not affected by the decision to leave the European Union. However, there are three topics that may well affect us and one that is much more time critical and serious.
The first relates to what happens when the EU makes changes to GDPR in the future. We will need to decide each time, whether we wish to adopt these changes into UK law or not. Realistically, it is difficult to see how or why we would not, and this has an impact on point 3.
Secondly, at some point the EU will publish a new ePrivacy directive. This was originally planned to coincide with GDPR but that never happened, and draft proposals are still out with member countries for review. If w choose to adopt this, it will replace PECR (the 2003 regulations that gave rise to cookie policies and the requirement for consent for email and SMS marketing).
The third and much more time critical issue, is that from of 1st January 2021, transfers of personal data to the United Kingdom from the EU can continue only if they comply with specific Union rules and safeguards relating to the transfer of personal data to third countries.
Without a satisfactory resolution, this would prohibit an organisation in the UK from transferring data from the EU, and the most immediate effect of this would be to prohibit the use of data centres and cloud storage which are hosted in the EU. Many will have chosen a data centre in Ireland and that could become unlawful.
So, what are the options. Well, the simplest thing would be for the EU to adopt a unilateral adequacy decision in favour of the UK. This is quite possible, as our data protection laws are almost exactly in step, but this could well be a negotiating point and as such may not be resolved until very close to the end of the year. In fact, in a recently published document from the EU entitled ‘Getting ready for changes – Communication on readiness at the end of the transition period between the European Union and the United Kingdom‘ the EU says that it will use its best endeavours to conclude the assessment of the UK regime by the end of 2020 with a view to possibly adopting a decision if the United Kingdom meets the applicable conditions.
However, its advice is ‘Businesses and public administrations should take the necessary steps to ensure the compliance of any personal data transfers to the United Kingdom with Union data protection law, irrespective of the scenario whereby an EU adequacy decision will be taken with regard to the United Kingdom. Compliance can be achieved by having appropriate safeguards in place as foreseen by the General Data Protection Regulation, including binding corporate rules, or through specific derogations’.
What does this mean? Well, we need to hear our government’s position and their plans, but we need to start planning in case no agreement is reached.
This could be very disruptive so contact me to start the conversation if you currently transfer data to or from the EU, and I also recommend you add it to your risk register.