Applicable from the 25th of May 2018, the General Data Protection Regulation (GDPR) is a regulation in EU law on data protection across the European Union. Currently, the UK is an EU country and accordingly, the GDPR applies directly to its citizens and businesses.
Following the referendum of 23 June 2016 and the United Kingdom’s subsequent notification under Article 50 of the Lisbon Treaty, the UK’s membership of the European Union is due to end on the 29th of March 2019, followed by a transition period until the 31st of December 2020.
What effect will Brexit have on the GDPR?
In short, it is probable that once the Brexit takes place, the domestic rules will apply to UK-based businesses. To ensure that British organizations can continue to trade and share data with EU counterparts after the separation, the government aligned the Data Protection Act with the GDPR.
On the other hand, the GDPR applies to all businesses who process the personal data of EU citizens – even if the business is located outside of the European Union – therefore most UK based businesses will still need comply with the regulations.
According to the current state of the negotiations and to the current draft of the withdrawal agreement, it is very likely that EU data protection law will also apply in cases where the personal data was processed in the UK before the transition period.
However one thing is probably subject to change: the UK will qualify as a country outside of the EU, therefore data transfers between the UK and the EU will not be allowed unconditionally.
Considering that the UK has the largest internet economy of all the G20 countries and most of their cross-border data flows are with EU countries, it is likely that the country will need to adopt a mechanism to ensure the data is transferred lawfully between the UK and EU countries.
Though there are several possible outcomes, according to the current state of the negotiations, they UK will most probably need an adequacy decision. The European Commission has the power to determine, whether a country outside the EU offers an adequate level of data protection. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. (Source: European Comission) The process to pass such decision may take several years after the Brexit takes place. Until that happens, this will remain an open question.
For the purposes of the enforcement of the GDPR, UK firms will be subject to the jurisdiction of another EU data protection authority. While the GDPR recognises a “lead” supervisory authority in the country where an organization has its main establishment, and such authority has competence to investigate all data protection cases, this will no longer apply to firms with UK headquarters.
Currently it’s hard to predict what’s going to happen since the negotiations are still ongoing — we will update this article with upcoming changes. However, one thing’s for sure – the GDPR’s effect will reach UK enterprises and large businesses even after the Brexit takes place.
Read on to learn how you can comply with Tresorit:
Still have questions left? Drop us a line