The UK will leave the EU by the end of 2020, and this will change how data is treated between the UK & the rest of Europe. In this article we’ll be looking at how GDPR and Brexit changes will affect you, whether you’ll need an EU representative, what is adequacy status (this one is important) and most importantly, how you can ensure you don’t fall foul of the GDPR and Brexit conundrum.
Changes to data protection: GDPR after Brexit
Just to put your mind at ease right from the start, many of the relevant laws and regulations are derived from EU law and/ or will be incorporated into UK law and so wide ranging changes to data protection after Brexit are very unlikely.
There is a little more to it though.
These small changes can have huge ramifications, as we will see later in the section on GDPR fines. You can learn more about important changes relevant to you and your company, live from industry experts in our webinar GDPR after Brexit.
(Don’t worry if you missed the live version, we’ve got the recording setup and waiting for you).
Whilst many aspects of post Brexit data protection will remain the same, there are issues that you will need to account for, for example the different situations in which you would require an EU representative, (skip ahead to the FAQ’s if you’re especially eager to find this out).
The first ‘Brexit changes’ to data protection were brought in almost 2 years ago, during the grace period (the time period the UK has to make arrangements to leave the EU) the UK passed the Data Protection Act 2018 (DPA 2018) which goes some way to ensuring the UK achieves adequacy status.
Which leads us onto…
UK adequacy decision post Brexit
According to government guidance it is extremely likely that the UK will have achieved adequacy status by the time the UK transition period finishes at the end of 2020, and thus UK based businesses will be able to continue to handle data with no issues (Source).
It will be the European commission who make the UK decision on whether to grant the UK adequacy status or not.
What is adequacy status?
Adequacy status is simply proving to the EU that data is processed safely, to at least the same standard as that stipulated by GDPR.
This is exactly what the UK will have to do after the transition period.
GDPR/Brexit transition period
Until the end of the transition period, data will be able to flow freely between the EU & the UK (providing international data transfers comply with GDPR of course).
But speaking of the transition period and the ability to handle data post Brexit, we need to mention EU representatives.
Has the transition period finished? | So do I need an EU representative? |
YES | YES |
NO | NO |
The transition period for leaving the EU finishes at the end of 2020, and you won’t need an EU representative during the transition period. As stated in the official government guidance, there will be no immediate changes to the UK’s data protection standards (Source). At such time we can expect to find out for certain about the UK data protection adequacy decision.
However, you will need an EU representative after the transition period if you will store data or do business with anyone in the EU.
We’ve already mentioned that Brexit will change how you store data, this topic can get a little wordy and complicated…
You’ll most likely have to switch from any UK based cloud storing service (for a variety of reasons), although there can be mitigating circumstances as to why you might not have to do this (such as contractual clauses or migration).
We’ve got a really useful webinar on the topic where you will learn about important changes to data storage, changing laws relevant to you and more, in order to help you navigate the landmines that fill the ever changing landscape of data protection. Presented by two industry experts, the webinar makes this complex topic a little easier to digest, you can check it out here: GDPR after Brexit.
International data transfer penalties
GDPR fines take into account a multitude of factors when determining whether or not a breach has been made, this information is then used to determine the severity of the fine.
Lower level fines can be up to €10 million, or 2% of the companies worldwide annual revenue of the prior financial year, whichever is higher.
Upper level fines can be as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year, again, whichever figure is higher. Just take a look at a few examples of the enormous fines a few well known companies have been hit with.
GDPR fines: Causes & Amounts
As we can see in the infographic above, failure to comply with GDPR has cost each company on this list a fortune in fines.
This is purely to demonstrate that failure to comply with data protection laws does not go unpunished, severely in some cases, so much so that it can threaten not only the reputation of an organisation, but their very existence.
If you’re thinking that only huge enterprises are being hit with fines, you’re wrong. As it states in PRODUCT PAGE, now, UK businesses have to comply with local data protection laws, European data protection institutions such as the Spanish AEPD for example, fines to small(er) businesses are far more aggressive, so don’t think that because you’re not a behemoth like BA, you’ll be exempt from data protection fines, or treated more leniently.
If you’re worried about being hit with a fine just as these companies have, you can take our GDPR risk assessment and it will identify threats and provide solutions that make ensuring you are GDPR compliant, easy.
You can get much more specific information regarding GDPR breaches, fines, what factors are taken into account as well as who administers the GDPR fines in our webinar GDPR after Brexit.
How to stay compliant with GDPR after Brexit
As we’ve already discussed, GDPR is European legislation, and as such, will mean that once the transition period is over, the UK will no longer be under any obligation to abide by GDPR.
So, does that mean you don’t have to be GDPR compliant after Brexit?
Yes and no.
As you’ll see in the FAQ section below, the UK intends to incorporate GDPR into UK law, and if this is the case, UK companies will have to be compliant with GDPR, albeit a slightly different version, because GDPR will be working in conjunction with the DPA 2018, the UK’s existing data protection law.
Upon leaving the EU, the UK will be given third country status. This is the reason the UK will need to achieve the adequacy status we spoke about before.
Should a UK based company do business with any company or customer in the EEA, both parties must adhere to GDPR, regardless of the fact the former is based outside the EEA. So, long story short, you should be taking steps to ensure you’re GDPR compliant.
If you’re interested in how you can stay GDPR compliant be sure to take a look at International Data Transfers, our GDPR software that helps you avoid being hit with huge fines, whether they’re caused by a small oversight or a monumental mishandling of data, don’t take the risk!
GDPR and Brexit impact: How will Brexit affect GDPR?
Incorporating GDPR into existing UK data protection law means there will be a UK GDPR after Brexit. This is because the UK must prove that it can safely process data to at least the same rigorous standard as stipulated in GDPR.
Whilst there will be minimal changes, Brexit impact on data protection is clearly something you need to prepare for, the severity of fines you could be hit with means you have to be ready, even for these small changes. We have already seen the first instance of Brexit impact on GDPR in the creation of the DPA 2018 we mentioned earlier.
Privacy policy Brexit
Until the end of the transition period (the end of 2020) there will be no changes to data protection.
Afterwards, you must be prepared to update your privacy policy. This can be complicated and fraught with legal issues, but you needn’t worry, you can simply use our privacy policy template.
We’ve put a short list of the benefits of using a privacy policy generator aswell a link to the one we’ve created for you. The link will take you to the page of the generator and contains information on what should be included in the policy, what it is, what to communicate to customers etc but most importantly, having a template means much of the work is done for you.
- Automatic generator
- Ensure you’re always GDPR compliant
- Your privacy policy is always up to date
- Dynamic privacy policies
- Extremely helpful whether you’re new to data protection or a veteran.
- Why? If you’re a newcomer, there is information that will be invaluable to you, if you’re more experienced, it’s a huge time saver and can help just in case you’ve overlooked some new legislation.
The ICO itself admits that it does not yet know exactly ‘what the data protection landscape will look like’ and so overlooking some information is not beyond the realms of possibility.
You’ve undoubtedly got some concerns related to data protection, GDPR and Brexit, in order to help alleviate these concerns you can consult the FAQ section for some quick answers.
Brexit and GDPR FAQ
Q. Will GDPR apply when the UK leaves the EU?
A. As it’s a European regulation, GDPR would not apply to the UK, however, they would apply should you do business with any individual or organisation in the EEA. It is likely that GDPR would simply be incorporated into the UK’s existing data protection laws.
Q. What will change to data protection now that the UK will definitely leave the EU?
A. Nothing, for now. Until the end of 2020, there is a transition period, so that all the details can be ironed out. So if you’re compliant with GDPR, then great news for you, you still are! (Until next year). As we said in the previous point, if the UK government does indeed incorporate GDPR into UK data protection laws, then there would be little to no change.
Q. What happens after the Brexit transition period?
A. This totally depends on negotiations that are yet to take place, however, the default would be that GDPR would simply be brought in as UK GDPR.
Q. Do we need an EEA representative?
A. No, at least not during the transitional period, after this ends however, you may need to appoint a European Economic Area representative if you are selling to individuals in the EEA or if you’re monitoring behaviour of individuals in the EEA. For information related to appointing a representative in the EU & NIS, scroll down to point 9.
Q. What will the UK data protection law be?
A. The Data Protection Act 2018 (DPA 2018) will continue to apply, GDPR will then be incorporated into this so that UK companies can continue to operate in the EU, the law will likely be known as UK GDPR.
Q. Can we still transfer data to and from Europe?
A. Yes, data transfers from the UK to the EEA will not be restricted. However, GDPR rules will apply to data coming from the EEA to the UK.
Q. What about law enforcement processing post Brexit?
A. The same rules still apply as set out in the DPA 2018 and will only bring in some minor changes to reflect the UK being outside the EU. When this transition period ends, transfers of data from the EU to the UK will have to abide by transfer regulations in the sender’s country.
Q. Does PECR still apply?
A. Yes, PECR in the UK is derived from EU law, it’s set out in UK law and so will not need to change post Brexit.
Q. Does NIS still apply once Britain leaves the EU?
A. Yes, similarly to PECR, NIS is derived from EU law and set out in UK law and will therefore continue to apply after Britain exits the EU. If you’re a digital service provider based in the UK you will need to appoint a representative in one of the EU member states in which you operate.
Q. Will the eIDAS still apply post Brexit?
A. Yes and no, as an EU regulation won’t apply to the UK after Brexit, however, the eIDAS regulation, much like GDPR, will be incorporated into UK law and so you should be planning to act as if eIDAS is still in effect which in essence, it will be.
Q. Does the Freedom Of Information Act (FOIA) still apply?
A. Yes. As a UK law, nothing will change when the UK leaves the EU.
Q. Do the EIR still apply?
A. Yes, much like PECR, the environmental information regulations are part of EU law, but are set out in UK law.