Brexit and GDPR

GDPR automatically came into force in all 28 EU Member States from 25 May 2018. As such it is directly applicable with no need for national laws to implement the requirements.

Regardless of the UK’s decision to leave the EU, data protection regulation will continue to be heavily influenced by EU laws right up until final agreements on the terms of withdrawal from the union. This has been highlighted by The UK data protection authority, the Information Commissioner’s Office (ICO), who have also stressed that the Data Protection Act 1998 remains the law irrespective of the referendum result.

The precise nature of a post-Brexit UK-EU relationship will be a critical influence on how closely the UK will follow the letter and spirit of the rules in the Regulation.

Key implications:

1.  GDPR requires adequacy for cross-border data transfers outside the EU - Post Brexit, the UK will need to ensure that it has an adequate level of data protection to continue cross-border trade with EU countries. This will need to mirror the requirements of GDPR.

2. GDPR has extra-territorial reach - GDPR applies to all organisations monitoring or processing the personal data of EU residents, regardless as to where the organisation is located. Businesses which offer goods or services across borders, or monitor activities of EU residents, will still be covered by EU data protection laws.scale 

3. Data protection is vital for consumer trust - embedding privacy at all stages, and all touch points in the data journey, must continue to be a primary consideration for UK businesses. As awareness of data protection rights increases, the commercial implications, and potential reputational impact, means that all industries must focus on securing consumer and customer trust. monitoring 

Additional steps

So, you need to continue taking action, regardless of the ongoing Brexit negotiations.  Staying compliant is vital to avoid the robust penalty regime. Here are some additional steps you can take:

· Identify your organisation’s personal data flows from the EU to the UK. These will need to be based on new adequate safeguard measures if the UK leaves the EU and is outside the European Economic Area (EEA).

· Identify those activities that involve processing of data subjects in other EU member states. These will fall fully within the GDPR in light of its extra territorial scope.

· Monitor the ICO’s guidance on Brexit and GDPR and stay close to MRS for advice on developments. 

· Update organisational plans as and when new guidance is released.