Brexit and it’s affect on EU companies – A GDPR perspective

Brexit is to take effect on the 29/03/2019 23:00 GMT.

Deal is still in discussion with the EU meeting up to take the decision on the 21/03/2019.

There are currently 2 possible outcomes:

Deal
No Deal

Deal

In case of a deal being struck, the transition period will commence and EU law will remain in effect until the end of 2020 incl. GDPR. The UK is also hoping to obtain an adequacy decision by the end of 2020, which would mean that any data transfers to the UK would remain unaffected. Given that the UK is already GDPR compliant and it’s revised post Brexit laws are based on GDPR, there are no foreseen roadblock to obtaining such adequacy decision.

This would mean no impact for EU based companies, provided the adequacy decision is granted by the European Commission.

No Deal

This means that there would be no transition period and the UK would effectively be considered as a 3^rd country.

This would mean that legal provisions in the form of Standard Contractual Clauses (SCCs) would need to be signed with all providers who store or process any form of personal data on a company’s behalf in the UK.

Current Situation

Before a vote could be taken on the 21^st March, Theresa May asked for an extension which was discussed in parliament yesterday. The outcome of this particular circus is the following:

Extension until May 22^nd if the deal is approved by the UK parliament next week.
If not approved next week the extension will be till April 12 at which point the UK will need to indicate the way forward i.e.
1. Remain ;
2. Extend with a long extension that means the UK will have to participate in the European Elections in May 23^rd– 26^th;
3. Crash out with no deal on April 12^th.

Conclusion

Given the uncertainty that still lies around whether Brexit will happen with a deal or without a deal, it is best that EU based companies who have business with the UK that involves and form of personal data, put in place SCC’s or BCRs so as to be prepared in case of a no deal crash out. Having SCC’s in place even if a deal happens, is not a negative thing as SCCs tend to be more general and less onerous than a DPA. As such, there is no harm in having the extra coverage and avoiding running around chasing documents last minute in a bid to legalise the data processing.

Extra

The International Association for Privacy Professionals (IAPP) has released a very useful info-graphic summarising the data transfer mechanisms in relation to Brexit. You can learn more visit the IAPPs website.