GDPR in a Post-Brexit World

In April 2016, the world of data protection began to change with the introduction of the EU’s General Data Protection Regulations (GDPR), impacting every firm who handles personal data. Companies had to work out how to comply with these changes to ensure that they could continue to effectively use customer data from May 2018 onwards (the date of GDPR’s enforcement).

Whilst British businesses are still adapting to new GDPR regulations, the future of Brexit throws a further spanner into the works of data protection, bringing up numerous questions regarding the role GDPR will play in a post-EU Britain. Keep reading for further information on the relationship between GDPR and Brexit.

2016-2018 GDPR Changes and The Latest Insights on GDPR

GDPR came into enforcement on May 25^th 2018, 6 years after preparations and debate concerning GDPR began. Labelled ‘the most important change in data privacy regulation in 20 years’, GDPR replaced the Data Protection Directive 95/46/EC, with the aim of; bringing together Europe’s privacy laws for all EU-operating countries, giving individuals more control over their personal data, and reshaping how data is handled across all sectors, from banking to healthcare to purely commercial environments. At it’s very core, the introduction of GDPR essentially sought to protect individual privacy whilst ‘levelling the playing field’ for EU businesses across the board. Based in all EU countries, Data Protection Authorities regulate GDPR, and make sure organisations who do not comply with GDPR face severe fines.

General data is classed as information which, when pieced together, causes a person to be identified. This includes; names, addresses, location information and healthcare data, amongst others. For an easy-to-digest explanation of exactly what changes GDPR brought about.

GDPR does not apply to purely personal activities, but concerns commercial and professional endeavours, including socio-cultural ventures as well as financial. A full list of rules for businesses and organisations, as well as the rights citizens possess concerning GDPR can be found on the European Commission’s official site.

GDPR Post Brexit; What to Expect

It is currently unknown exactly what will happen regarding EU data laws in Britain once Brexit comes into effect. However, it is clear that if a company processes an individual’s data in relation to the sale of goods/services, and that individual is a citizen of an EU country, said British company will need to comply with GDPR, regardless of Britain’s general position on GDPR post Brexit.

Activities contained within the UK are a different story. Whilst there is no exact confirmation of what will happen to British GDPR upon Brexit’s commencement, there has been strong indication from UK government that a similar set of rights will come into effect. It is expected that ‘British GDPR’ will remain very similar to current GDPR proceedings. This is for two key reasons; firstly, due to the support the UK government has displayed towards GDPR proceedings thus far. Secondly, given that GDPR compliance would greatly facilitate Britain’s continued involvement in and access to the EU market. Both of these reasons indicate that British GDPR post Brexit will very much be in line with the current EU GDPR.

GDPR and Brexit; Proposed Data Protection Bill and Adequacy Agreement

In August 2017, a proposed Data Protection Bill was presented to both houses as a strategy for British GDPR post Brexit, as according to the Great Repeal Bill, whilst GDPR law would remain post-Brexit, it would face further amendments.

In essence, the proposed Data Protection Bill remains incredibly similar to current GDPR, with most changes being enhanced and strengthened versions of laws already in place. If this bill becomes law, there is little chance Britain would face GDPR issues with the EU, given that British law would largely supplement GDPR rather than replace it entirely.

Post Brexit, the UK will become subject to Article 45 of GDPR, as would any non-EU country, which specifies that data transfers between both parties will only be permissible if the UK, in its ‘third country’ status, can ensure ‘an adequate level of protection’. Adequacy is based on how strong and effective the EU deems the UK’s legal framework and commitment to data protection. Given the proposed bill’s similarities to GDPR, it is believed highly likely that the UK will achieve adequacy, although this is not a certainty. Recently, the EU and Japan came to the first adequacy agreement since GDPR’s implementation, identifying each other’s DP systems as ‘equivalent’.

One area which could prove problematic is the UK’s heightened surveillance laws, which the EU has shown before to believe too interfering, going as far to state that they violate human rights. As an EU member state, the UK previously had national security exemptions, however this is no longer the case.

An adequacy agreement cannot be made until the UK has officially left the EU. Assessments for adequacy can take up to two years, although it is hoped that this timeframe will lessen given the mitigating circumstances. Questions therefore remain regarding what exactly will happen in this interim period. It is also worth considering that, even if the aforementioned bill was to pass, it would most likely face further changes and adaptions based on its post-Brexit performance. The exact future of British GDPR in a post Brexit world therefore remains to be seen.

How St Pauls Can Help

Jeremy Barnett of St Pauls Chambers spoke professionally on the subject of GDPR and Brexit. If you have legal concerns regarding post Brexit GDPR, please get in touch with our team of experienced barristers.