How will Brexit affect GDPR?
The transition period
With the country leaving EU jurisdiction, many questions hang in limbo. One of which relates to GDPR law – a piece of protective legislation introduced on May 25th 2018, intended to standardise data protection rules across the European Union, make business data collection more transparent and to improve EU citizens’ rights regarding data.
The question is; have the GDPR rules changed now we’ve left the EU?
The simple answer for now is, NO. During this transition phase – from now until December 2020 – GDPR compliance responsibilities remain the same. Anyone – business, organisation, charity or group dealing with personal data should continue to follow existing established data protection responsibilities.
The UK was one of the primary authors of the GDPR and has long been committed to upholding strong data protection laws. Both the GDPR and the Law Enforcement Directive (LED) are already fully incorporated into our Data Protection Act 2018 and so in regards to Brexit even with the myriad of shifting regulations, as part of the European Withdrawal Agreement the GDPR will be fully amalgamated into UK domestic law.
For now, after the transition period the future of data protection is unknown. However, come December, at the close of the transition period, businesses and organisations should have a clearer picture of what’s to come. Presently, it’s a case of ‘sit tight, stay calm, and carry on’, business as usual!
After the transition period
It is after the transition period when the situation becomes more uncertain, simply because the UK’s final relationship with the EU is unknown.
The options are to:-
- Leave with a deal
- Leave with no deal
- Leave with no deal but obtain an adequacy decision
Should we leave with no deal, there are concerns regarding international transfers FROM the EU and the additional expense that some UK organisations would face, due to appointing Representatives.
However if we leave with a deal or obtain an adequacy decision, then these concerns cease to be an issue.
Additional data regulations for consideration
Alongside GDPR legislations, the following regulations will remain in force for now, but are subject to change come December;
Electronic Identification, Authentication and Trust Services – (eIDAS)
This regulation is an EU rule, but one not transferred into UK law. Regardless of a deal, the UK government has announced it will implement eIDAS rules into UK law on exit – limiting disruption.
The Privacy and Electronic Communications Regulations – (PECR)
These rules cover marketing, electronic communications and cookies, they are EU laws installed within the UK legal framework. These rules will continue to apply once the UK leaves the EU. A new ePrivacy Regulation is on the horizon and it is anticipated that this will also be mirrored in our own laws.
The Freedom of Information Act 2000 – (FOIA)
FOIA is UK law and will remain, even in the face of a No Deal Brexit.
Network and Information Systems Regulations 2018 – (NIS)
The NIS is derived from the EU but set out in UK laws. These rules will continue to exist. However, a No Deal Brexit means businesses will be obligated to local NIS laws in each Member State in which they provide services. An EU representative may be required.
Environmental Information Regulations – (EIR)
These rules are part of UK law. They will continue to apply unless revoked.
Email: [email protected]