The prospect of Brexit creates major uncertainty in many areas of life and business, not least when it comes to the question of the data that you hold in your business and how you comply with data protection requirements and GDPR.
What will Brexit mean for the data you hold in your business and what will happen at the end of March when the UK leaves the EU?
The answer, unfortunately like so many aspects of Brexit, is uncertain, and will depend on how events unfold in a situation that is changing constantly and rapidly.
At the time of writing a Withdrawal Agreement has been negotiated between the EU and the UK along with a Political Declaration on the future relationship between the parties. The Withdrawal Agreement is here and the Political Declaration is here. There is also an explainer document here.
This Withdrawal Agreement has been accepted by the EU members states and the UK government, but it has not yet been accepted by the UK parliament and its prospects of doing so are the subject of enormous uncertainty and speculation. We will just have to wait to see what happens on that.
What will it mean for your business if the Withdrawal Agreement between the EU and the UK is confirmed and the UK leaves the EU on this basis?
Well, the Withdrawal Agreement deals with data protection and GDPR issues quite specifically and provides clarity in these areas. Articles 70 to 74 of the Withdrawal Agreement in particular deal with data protection and data security of pages 127 – 131.
Article 71 essentially states that the EU’s GDPR will continue to apply in the UK for the duration of the transition period provided for in the Withdrawal Agreement. The transition period is to apply up to 31 December 2020 and may be extended.
If this were adopted, it would allow data to continue to flow freely between the EU and the UK on the basis that the UK will continue to adhere to the GDPR during the transitionary arrangements. And it would seem reasonable to assume based on what is outlined in the Political Declaration that the transition period should enable arrangements to be put in place so that a finding of adequacy to be made by end of the transition period so that data can continue to flow freely thereafter.
Something that is not mentioned specifically in the Withdrawal Agreement and that will have to be clarified as events unfold, is the status of UK based data controllers for the purposes of compliance with Article 27 of the GDPR. At present, the UK is a member state of the EU and data controllers established in the UK are, by definition, established in the EU.
However, after the UK leaves the EU, UK based data controllers holding data on people in the EU who do not have any establishment in another member state of the EU, will not be established in the EU for the purposes of the GDPR and will presumably have to appoint a representative in the EU pursuant to Article 27 of the GDPR in order to be compliant.
Whatever about the uncertainties of Brexit, the one thing that’s for sure is that our Brexit Business Data Survival Guide will help you to understand what you can do to prepare your business whatever happens.