After years in flux, Great Britain has formally withdrawn from the European Union. The country’s departure is unprecedented and has raised several questions about British compliance with EU regulations — which are still in effect, who is still bound, for how long and more.
One of the biggest questions is how Brexit will impact data protection in the wake of the EU’s landmark privacy rule, the General Data Protection Regulation, or GDPR.
Here is how the U.K.’s exit from the EU will intersect with GDPR in the event of Brexit.
How Brexit Will Change Data Protection in the U.K.
Even though the U.K. has formally exited the EU, very few of the expected legal impacts of Brexit will happen right away. For the moment, the U.K. is still bound by many EU regulations and granted key freedoms — like freedom of movement — which will stay in place in the near future. Concerning data protection and GDPR compliance, nothing significant will change during the transition period this year, which ends on Dec. 31, 2020.
After that date, the U.K. will become a “third country” under the terms of the GDPR, unless it is deemed adequate by the EU.
If the U.K. becomes a third country, GDPR restrictions will apply to personal data transferred there from the EU. Companies will also need to update their privacy policies to reflect the U.K.’s status.
Classification of “adequate” requires the U.K. to adopt data protection equivalent to those in the EU. Last year, the U.K. accomplished this by folding its own version of the GDPR, the U.K. GDPR, into the Data Protection Act 2018. It’s equivalent to the GDPR in all aspects and is expected to effectively harmonize British data regulations with existing EU standards — which should ensure a decision of adequate status from the EU.
If granted, this adequate status could result in a return to business as usual. In this scenario, it’s likely that companies in the U.K. won’t need to make any changes to their current data collection policies, so long as they’re already GDPR-compliant.
At the moment, there is no clear timetable for when the European Commission will make its adequacy decision on the U.K. Current evidence suggests that the commission is preparing to make an adequacy decision before the end of the year. However, there’s nothing guaranteeing a timely resolution. Even if the EU finds the U.K. standards adequate, it may not be granted adequate status before the end of the transition period. With the U.K.’s adoption of the U.K. GDPR, there may be a period of several months or longer where it’s regarded by the EU as a third country.
In any case, however, U.K. companies continuing to do business in the EU will still be bound by GDPR regulations, just like any company based outside the EU that serves customers in the union.
Steps Businesses Should Take
Businesses currently bound by GDPR will need to continue following EU data regulations. They should expect that any of the GDPR impacts the company has felt so far will continue. User data will need to be protected adequately, and you will need to ask for prior consent before collecting user data, just as before.
Businesses should, however, consider preparing for the possibility that the U.K. fails to be deemed adequate, or that the European Commission fails to update its status to adequate before the end of the transition period. This would result in the U.K. being regarded as a third country, at least for a brief period.
While the U.K. is regarded as a third country, businesses will effectively need to create their own GDPR safeguards and company policies that ensure the proper use and handling of personal data if they want to stay compliant. U.K. businesses will still be subject to fines from the EU if they fall out of compliance with the GDPR, even while the U.K. is considered a third country.
What to Expect With GDPR After Brexit
If the U.K. is granted adequate status, businesses will likely feel little difference when it comes to data protection regulation. If not, staying compliant with the GDPR may be a little bit more complicated, with companies needing to put new safeguards and stricter controls in place to ensure the proper processing of data. They will also need to notify their customers of the U.K.’s third country status.
However, disruption from the U.K.’s third country status is expected to be short-lived. The U.K. government and the EU appear to be in total agreement when it comes to standards that businesses should follow to ensure the proper handling of customer data. While Brexit is likely to have major impacts on many different aspects of British business and dealings with the EU, data protections seem to be a settled issue.