GDPR & Brexit: What Does It Mean For Your Business?

Last updated: 1 December 2020

Estimated reading time: 5 minutes

Member View

The UK’s transition period for exiting the EU is coming to an end. At the same time we are receiving more and more enquiries from clients concerned about what Brexit will mean for them in terms of GDPR compliance and their internal data protection policies. Here we consider some of the things you need to bear in mind to ensure you comply with GDPR rules after Brexit.

We’ll be covering:

  1. The background to GDPR
  2. GDPR is an EU law. Will it apply after Brexit?
  3. Does data protection law apply to my business?
  4. Could I lose access to personal data when Brexit takes place?
  5. Why might the flow of personal data be interrupted?
  6. The EU and ‘adequacy decisions’
  7. So, what should my business do about data protection after Brexit?

The background to GDPR

The need to protect personal data in our data driven society resulted in a huge effort in Brussels, London and elsewhere to upgrade data protection rules. The result was GDPR to which the UK signed up as an EU member. In the context of Brexit it’s worth remembering that personal data is constantly crossing territorial boundaries in complex technological ways. The need for this data flow won’t diminish after Brexit so organisations in the UK need to ensure that they comply with the rules. The main issue for our clients is that, with the UK’s legal relationship with the EU in a state of flux, there is a good deal of uncertainty about what data protection compliance will look like after Brexit.

GDPR is an EU law. Will it apply after Brexit?

Technically GDPR won’t apply in the UK when the transition period ends. But UK businesses will still have to comply with UK data protection law as the government has indicated that it intends to incorporate all the terms of GDPR into UK law. The new law is likely to be referred to as UK GDPR. In practice therefore the processes you have put in place for GDPR compliance will remain relevant and essential. In addition, if you are doing business in Europe involving the use of personal data you will have to adhere to all the EU rules on data protection – including GDPR. This may make it necessary for you to appoint an EU representative for GDPR.

Read our article on why appointing an EU representative may be required for your business and insight from data protection specialist, David Sant.

Does data protection law apply to my business?

If you control or process personal data then you are subject to the rules. In fact, there are few businesses in the UK that operate without processing or controlling personal data – even if the only personal data in a business is used to pay staff. Many businesses are much more reliant on personal data than that. And many of them are reliant upon accessing or processing data across the EU. This may simply be because a business supplies into the EU (or takes supplies from the EU) but might also be for more technical reasons: for example, the definition of ‘processing’ (which is a key term in data law) extends to ‘storage’. The effect of this is that if you store your personal data on a server in the Republic of Ireland, then you are processing personal data there.

The statistics indicate that three-quarters of the UK’s cross-border data flows are with EU countries: a great deal of personal data is being shared across the EU.

Could I lose access to personal data when Brexit takes place?

The government has stressed that it wants to maintain the unhindered flow of data between the UK and the EU after Brexit. But as we explain below achieving this aim may not be entirely straightforward.

Why might the flow of personal data be interrupted?

Under the EU’s data protection framework, any country other than those in the EU and the European Economic Area (the EEA) is classed as a ‘third country’. On leaving the EU, the UK will be a third country. EU requirements mean that personal data can only be transferred to the UK from the EU when an adequate level of protection is guaranteed.

The EU and ‘adequacy decisions’

The obvious solution here would be for the Government to obtain an ‘adequacy decision’ from the European Commission, certifying that the UK’s data protection regime is sufficiently robust to enable the continued uninterrupted flow of data between the EU and the UK .

However, an adequacy decision is a formal, legislative decision of the EU and it takes time. To date the EU Commission has not made an adequacy decision. Some have suggested that the government’s expressed intention to exclude the Charter of Fundamental Rights from EU retained law after Brexit will make it harder for the EU Commission to confirm that the UK’s data protection systems are adequate. That’s because the EU views the Charter as integral to the protection of personal data.

Added to this, the Court of Justice of the European Union’s recent decision in a case known as Schrems II raises a further question mark over data flow between the UK and the EU post-Brexit. Schrems II concerned data flow between the EU and the US. But the court’s focus on US government surveillance powers as a key reason to find the existing ‘privacy shield’ inadequate (the privacy shield enabled the flow of data between the US and the EU) could have repercussions when it comes to deciding on the adequacy of UK data protection. The UK’s Investigatory Powers Act 2016, for example, allows the UK government to access personal data in certain circumstances that are similar to the US authorities highlighted in Schrems II.

So, what should my business do about data protection after Brexit?

The way the flow of data between the UK and the EU is regulated after Brexit will depend largely on whether or not the EU agrees that the UK offers individuals adequate data protection. It may well be that an adequacy decision will not be forthcoming. In such a scenario, UK businesses will have to find other ways to legitimately transfer data to the EU.

For the moment however, and until an adequacy decision is reached the ICO has made clear that until most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same. If the sharing of personal data across the EU is a key aspect of your business, then you should keep a close eye on what the government is proposing in relation to this issue so that you can take it into account in setting your medium and long-term strategies. In the meantime, if you would like any support or advice regarding your data protection processes or policies and how these could adapt, our expert data protection solicitors can provide the help you need.

Back to table of contents

What next?

To access legal support from just £99 per hour arrange your free no-obligation initial consultation to discuss your business requirements. Call us on – 0800 689 1700, email us at enquiries@hjsolicitors.co.uk, or fill out our contact form and we’ll get back to you within 24 hours.

  • Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our privacy policy.

  • This field is for validation purposes and should be left unchanged.
  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 2, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
Like what you're reading?

Like what you're reading? Get new articles delivered to your inbox

Join 8,067 entrepreneurs reading our latest news, guides and insights.

Subscribe