The possibility of the United Kingdom (UK) leaving the European Union (EU) without a deal, even at the end of any extended period agreed with the EU, is a real risk for businesses to consider. This note explains key issues and preparatory steps to be taken in relation to personal data protection in the event of a “no deal” Brexit. Several of these compliance steps are likely to be required whether or not a deal is reached between the EU and the UK.

What happens in the event of a “no deal”?

In a “no deal” scenario, the EU’s General Data Protection Regulation (GDPR) will form part of UK domestic law by virtue of the EU (Withdrawal) Act 2018 (EUWA) with some amendments made to it, alongside the UK’s Data Protection Act 2018 (DPA) and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Exit Regulations) that will come into force on exit day will replace references to EU laws and institutions with references to UK equivalents, so that the UK’s legal framework for data protection can continue to function correctly after exit day.

The Exit Regulations also provide that the UK GDPR will have extra-territorial effect in the same way as the EU GDPR. This means that the UK GDPR will apply to controllers and processors outside the UK (including EU entities) whose processing activities relate to offering goods or services to individuals in the UK or to the monitoring of the behaviour of individuals in the UK.

As far as possible it will be business as usual

There would be no immediate change in the UK’s data protection standard because the DPA will continue to apply and the provision of the GDPR will be incorporated directly into UK law. The UK government has also confirmed that transfers of personal data from the UK to the EEA will not be restricted.

From a UK perspective, no immediate steps need to be taken if an organisation has appointed a data protection officer (DPO), who is either based in the UK or EEA, provided that such DPO is easily accessible to all and is sufficiently skilled in both EU and UK data protection laws. However, this should be kept under review.

What needs to be addressed?

To read more about the six key points to consider in case of a “no deal” Brexit from a data protection perspective, visit our website to read the full article here.