With the transition period approaching its end, and a “no-deal Brexit” more likely than ever, the United Kingdom’s relationship with the European Union is set to change, effectively returning to WTO conditions if no deal is ultimately agreed.
The Current Situation
To this day, UK businesses are subject to a double normative when it comes to personal data management and processing: the EU GDPR and the UK Data Protection Act stipulated in 2018.
GDPR, a European-level regulation, also came into force in May 2018, completely changing the way organisations handle personal data inside the EU, but also regulating the transfer to non-EU and EEA countries. GDPR stepped forward to safeguard individuals from data breaches and revolutionised the way companies build information systems, which now have to be designed with privacy in mind, including anonymisation and pseudonymisation practices when required. Since the regulations came into effect after the UK voted to leave the EU in 2016, British companies still had to adapt to the new rules, at least until the end of the transition period.
The European Union gave each country the freedom to implement GDPR through national legislation, even though respecting the principles was still mandatory. Therefore, the UK translated GDPR directives into the 2018 Data Protection Act. Similarly to GDPR, the Data Protection Act regulates personal data processing, guaranteeing the data subject is safe and protected, and holding organisations liable for any breaches of the normative.
More measures are in place to protect sensitive data, such as:
- Criminal history
- Political opinions
- Sexual orientation and sexual life
After the transition period comes to termination on January 1 2021, the United Kingdom will no longer be bound by GDPR, making the 2018 Data Protection Act as important as ever, with companies and individuals expecting to learn how and if the normative will resemble GDPR even more after Brexit.
GDPR and Data Protection Act after Brexit
A crucial role is played by the ICO (Information Commissioner’s Office), the organism that supervises and enforces data protection rules, and in charge of:
- Data Protection Act
- Privacy and Electronic Communications Regulations (PECR)
- Environmental Information Regulations
- The re-use of Public Sector Information Regulations
As such, ICO has deployed guidelines for the impact of Brexit on information rights and Data Protection rules at the end of the transition period.
According to ICO, at the end of the transition period, GDPR will be incorporated into the UK legislation and named “UK GDPR“: this means that UK companies will still have to respect current regulations in the matter of Data Protection. The government, however, will now have the flexibility of changing the UK GDPR structure if required.
GDPR after Brexit for local and national businesses
As stated above, no substantial change will take place after the transition period for UK companies. The change will be formal, as the GDPR will be part of the UK legal system, and companies will be allowed to continue “business as usual” without having to adapt to new norms. The previous statements are accurate if a said company operates within the boundaries of the United Kingdom, and therefore does not exchange data with organisations in Europe.
Even after the transition period and exit are ratified, ICO expects to closely follow GDPR rules in how it decides to shape the developments of the UK Data Protection Act. In substance, the UK would still like to cooperate closely with the European Union in how the future of data protection is shaped, and it plans to keep the national legislation as close to the European one as possible. Keeping GDPR after Brexit is an attempt to make sure that the UK – effectively a third country with respect to the EU after December 31 2020, according to Article 27 – will maintain the status of adequate, meaning that the European Union won’t require any further protections in data transfers to the UK, preventing the flux of data between the UK and EEA countries from being halted.
A possible reason for UK businesses to be concerned about the EU’s opinion of British data processing standards is the suspicion with which Brussels looks at the mass-surveillance practices and agreements to share intel the UK holds with the members of the Five Eyes alliance, particularly the US.
GDPR post-Brexit if you operate in Europe or exchange data with EEA companies
All UK companies that operate in Europe, or sell goods or services in the European Union will still be subject to the European version of GDPR.
Similarly, if you receive data from European-based companies, you will need to liaise a way to transfer consumer data to the United Kingdom without breaching the GDPR. The government has confirmed that it won’t restrict data transfers from the United Kingdom to the European Economic Area. However, GDPR will still need to be respected by the receiving company.
GDPR-induced costs for UK businesses after Brexit
The UK being part of the third-countries, according to Article 27 classification, puts UK companies in an uncomfortable position, at least formally. The Article states that companies with headquarters in one of the third countries need to hire a representative in the EU if they offer goods and services to EU citizens or if they monitor EU people with online cookies on their website for targeted advertising. This rule has an exception, namely that companies should not hire a data representative in case “processing is occasional, not at large scale, and unlikely to result in risk.” There is no clarity, however, on the definition of occasional data processing, making not getting EU representation riskier. Costs of hiring an EU representative can vary from as little as £130 to £5400 per year.
These added costs, plus the costs of non-compliance and the new standard contractual clauses, could add up to an estimated £1.9 billion GDPR-induced costs after the United Kingdom leaves the EU on January 1 2021. As we have seen on our blog, the risks associated with superficial management of data and equipment can be high, and losing trust and respect from customers and employee can hit your business, on top of pecuniary punishments if GDPR is enforced. Hence, hiring a data representative and making sure your data practices are on point is often a wise investment.
I run a small/medium business, and I have data exchange with EU customers and companies, do I need an EU representative?
Yes. Legally, you are required to hire a representative in the European Union; failing to do so can result in fines up to two per cent of your company’s global turnover, with a maximum of £10 million. Not having EU representation is a clear breach of Article 27 of GDPR, and as such, it leads to punishment in the form of the fines mentioned above.
However, it is still unclear what kind of enforcement is expected for small companies found breaching GDPR. Deciding on hiring representation is currently a gamble, rather than a mandatory investment, due to the scarcity of concrete precedents.
Medium businesses are the unfortunate victims of the UK exit, with larger corporations highly likely to already have offices in one of the EU countries, and smaller, national businesses free to keep operating in the way they were before. The medium-sized, internet-based companies headquartered in the United Kingdom that have business interests in Europe are the most likely to bear the cost of the increased bureaucracy resulting from Brexit.
Data protection in times of uncertainty
Even without great clarity on the situation and issues likely to be noticed as they emerge after Brexit – as companies are not ready or aware enough of the changes – the UK looks set to continue to look at Brussels, at least in the matter of data protection. Taking care of data, before and after GDPR, is a trait that good companies share, and we always recommend having a sound data processing and protection policy, including secure data sanitisation and secure computer disposal when required, to make sure your company’s data is safe, before Brexit and after.