Brexit and GDPR | 12/02/2020 | GenesisIT,Hull

Brexit and GDPR

Genesis Business Systems Blog

GDPR After Brexit

Introduced in May 2018, there was a lot of noise surrounding GDPR and how it would affect UK Business’s. With the evolution of Social Media and Digital Marketing, GDPR was the biggest change to data protection regulations in over 20 years, with the aim of protecting EU citizens from having their data exploited.

Now that the UK has evoked Article 50, and begun the process of leaving the European Union, what affect will it have on GDPR regulations?

Whilst we are in the transition phase, the UK will still follow EU rules and regulations and therefore, GDPR will still apply during 2020. If the transition phase is not extended, then from January 2021 the UK will stop following EU rules & regulations. However, the UK is very committed to having robust data protection laws and was a major contributor to the creation of GDPR, and as such the UK has already agreed to write GDPR into UK law as part of the Withdrawal Agreement. This mean that the UK will use the Data Protection Act (which was updated in 2018 as part of the commitment to the withdrawal agreement) in tandem with GDPR to govern Data Protection policies.

Upon leaving the EU the UK will be given ‘third country’ status, which means it must maintain laws on data protection that are equivalent to those governing the EU. This safeguarding measure known as an adequacy agreement will ensure that data that belongs to EU citizens is still protected when transferred outside of the bloc.

Many business’s will have already made change to their policies on the handling of data and adhere to GDPR regulations. Regardless of whether the UK leaves the EU with a deal or not, any UK company dealing with EU residents will need to adhere to GDPR, so if you are not already compliant, now is the time to address the situation.

Who is responsible for enforcing regulations?

After the transition period, the UK will be outside of the European Court of Justice jurisdiction and so the enforcement of data regulation will mainly be dealt with by the Information Commissioners Office (ICO), unless the case deals with EU residents where the company will need to liaise with the relevant EU data protection authority and/or the European Court of Justice.

What if there is a ‘No Deal’ Brexit?

As previously mentioned, regardless of whether a deal is agreed or not, any company dealing with EU residents will need to comply with GDPR. However, things are still a little more complicated with the flow of data.

The UK government have committed, in the event of a ‘No Deal’, that it would still permit data to flow from the UK to countries within the European Economic Area, thus reducing the impact on supply chains. But the European Union do not have to agree to allow the flow of data from the EEA into the UK. This is an area that will become a key part of the negotiations to secure EU approval for the transfer of data.

As a deal on the transfer of data can not be guaranteed, the ICO is advising that those organisations that rely on the transfer of data between the UK and the EEA investigate different transfer mechanisms.

One idea is to insert GDPR style clauses into contractual arrangements. These terms, known as Standard Contractual Clauses (SCCs), form part of a contracts terms & conditions and require both parties to confirm agreement through signature.

It has been questioned whether SCCs can legally be enforced, raising doubt about their suitability to replace GDPR, however the ECJ ruled during a landmark case in December, that they were legitimate methods so long as the company take measures to ensure data is protected.

In the reverse of this situation, companies within the EU handling data that involves UK residents, of data that flows to the UK, will need to ensure that the data is protected in a method recognised by the EU, such as the UK Data Protection Act 2018.

Which other data regulations will be affected?

Many other regulations and rules have already been migrated into UK Law, and so will not be affected by Brexit. These include:

The electronic Identification, Authentication and Trust Services (eIDAS)

Although this has not yet been incorporated into UK law, the UK government have said it will be thus limiting disruption.

The directive on security of network & information systems. (NIS)

Derived from EU law and incorporated into UK law, but it will require companies to follow local laws in any member state they deal with and the appointment of a representative.

Privacy and Electronic Communications Regulations (PECR)

The Eu is due to update this policy with the ePrivacy Regulation. This change will come into force after the UK departure, and there is not yet any indication of whether the UK will adopt the changes into law.

However, in the event of a No Deal Brexit, businesses will be required to adhere to local NIS laws in each Member State in which you provide services, which may require appointing a representative.

Freedom of Information Act (FOIA)

Brought into UK law in 2000 and will continue to apply even in the event of a No Deal Brexit.

Environmental Information Regulations (EIR)

These are already established in UK law and unlikely to be removed.

So, what do I need to do?

With so much detail still to be negotiated and planned, it is hard to say for definite what actions need to be taken. The best advise would be to plan for the worst and hope for the best. Business’s will need to be agile so that they can react to ever changing situations. It would be wise for all companies to carry out a risk assessment, and budget for changes you must make.

Is your data held locally, if so, do you have the right cyber security, backup and disasters recovery in place to help you meet GDPR and Data Protection Act requirements? If you move your data to the cloud, where will the data centre be located?

Is your accounting system flexible enough to allow for any changes in tariffs?

If there are delays in the supply chain and the movement of goods, do you have the stocks and cash reserves/credit limits to support this? If stock levels are lower, are you prepared for price changes that this might induce?

If you are planning to upgrade your IT Systems, what is the stock availability and where are suppliers located?

For consultation and advise on Accounting and ERP Systems, IT Hardware and Cyber Security, please feel free to contact us.