The curious case of Brexit and the disappearing GDPR

When the EU began enforcing GDPR legislation in 2018, the whole world paid attention. Strict new laws governing how personal data was stored and transmitted meant businesses and organisations worldwide suddenly had to ensure their systems were compliant. For the first year or so, we were bombarded with emails explaining how our personal data was being used, and every website we visited flashed up alerts about GDPR compliance.

On the third anniversary of GDPR, the topic might have faded from the everyday headlines and consciousness, but it’s more important than ever. As we head into a new wave of digital business and global political changes, businesses need to understand how it impacts them moving forward.

Over the past few years, we’ve seen some eye-watering fines for high profile breaches and failures to comply from the likes of Google, British Airways, Twitter and Marriott. Clearly, the European Union authorities take compliance very seriously, but there remains a distinct lack of clarity around the impact of Brexit on UK-based organisations and compliance with GDPR.

Ironically, the UK was instrumental in drawing up the original legislation that became the GDPR when it was part of the EU. But it seems little thought was given to how these laws would apply once Britain was no longer part of the bloc. As a result, businesses, many of which are dependent upon the free flow of data, are unclear on where they stand.

What’s the deal with cross-border data transfers after Brexit?

Recent developments in EU data protection have created great uncertainty for businesses in relation to cross-border data transfers, according to Tim Hickman, partner at White & Case LLP. Read here

What is the current status of GDPR in the UK?

It’s important to be clear that currently businesses in the UK are still bound by the GDPR regulations. The UK is now treated by the EU as a ‘third country’, which means it has to prove it has strong enough data protection laws, known as ‘adequacy status’. If a country is deemed to be not adequate, data transfer between it and the EU would be banned without implementing additional data transfer mechanisms. While the UK might no longer be subject to EU laws, the free flow of data is essential to businesses on both sides of the English Channel.

The UK’s Data Protection Act 2018, merged with the EU’s GDPR legislation, formed a new framework known as UK GDPR, which became UK law in January 2021 as part of the withdrawal from the union. It’s this framework that the EU commission uses to determine the UK’s adequacy status.

The Trade and Cooperation Agreement between the UK and the EU allows for the continued free flow of data for up to six months after the end of the transition period, taking us to the end of June 2021. The European Commission issued a draft approval of the UK’s adequacy status in February 2021, and there’s hope it will be ratified before the June deadline. However, this is not guaranteed.

What happens if adequacy status is not approved?

If the adequacy decision is approved before the 30th June, then businesses in the UK can continue to operate as if the GDPR legislation still applies, and no further action is necessary. But if the deadline passes without approval, then companies and organisations need to be prepared.

The best way to safeguard against this possibility is by building ‘standard contractual clauses’ (SCCs) into contracts of operation between organisations, which ensure that both the sender and receiver comply with data regulations. By incorporating these SCCs now, organisations can ensure compliance should the adequacy agreement not be approved, or if it’s delayed further.

When the European Court of Justice (ECJ) ruled in July 2020 that Privacy Shield was not a valid protection for data transfer between the USA and Europe, organisations had to scramble to rewrite their contracts to incorporate model clauses. Many businesses are still feeling the impact of this decision now, almost a year later. So rather than playing a waiting game, and hoping the adequacy ruling goes the right way, it’s always better to be prepared.

GDPR infringement: What can tech leaders do to reduce breaches?

A study by DLA Piper has found that regulators within the EU have imposed fines for GDPR infringement adding up to €114 million. Read here

What do you need to do?

Businesses should keep the following points in mind:

  • Ensure they have the right processes in place to comply with the GDPR, whether it’s according to EU or UK law.
  • Have a good understanding of how data flows through the organisation, so they can be clear on the steps required.
  • Put good vendor management practices in place to ensure partners are fully compliant and have an in-depth understanding of the changes in the law as a result of Brexit.
  • Have a backup plan in case the UK is deemed not to have adequacy status by the EU.

A wait and see approach won’t work

The issue of GDPR compliance generally mainly comes to prominence when a company receives a massive fine for falling afoul of the regulations. But wait and see is not a winning strategy – you don’t want your business to be the next one making headlines. Instead, take the lead within your organisation to understand the changing data privacy landscape, and at the very least make sure you’re working with a partner who can help you to ensure compliance.

Hopefully the UK GDPR regulations are robust enough for the EU to continue allowing data flow unencumbered. But if your organisation is prepared in advance, you won’t have to scramble at the last minute, regardless of the final decision handed down.

Written by Elizabeth Schweyen, senior manager of global privacy and compliance at Druva

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com