Contents:
As the UK MPs and the EU representatives continue to discuss the specifics of the upcoming Brexit, nothing is yet settled. In this murky context, companies in the UK and companies working with companies in the UK are rightly confused. What about GDPR, the transnational European data protection regulation to which we were just beginning to adjust? Will there still be a GDPR after Brexit, for the UK space? If it will change, how so? Should a new kind of data protection compliance regulation be created for the UK instead of GDPR? All these topics are intensely debated right now across all business mediums. Unfortunately, there’s a lot of uncertainty and a lot of Brexit and GDPR myths as well. Let’s walk through everything together and see what will really happen with GDPR after Brexit on all possible scenarios.
Possible Brexit Scenarios
For now, UK politicians are still stuck on debating whether they want to comply with the new law against a no-deal situation. There are several possible outcomes, depending on what will be decided on these counts:
- If they choose to comply with the new law (accept the deal) or not;
- If they ask for a delay in deciding (Brexit and the deal-or-no-deal debate simply get postponed);
- If they try to negotiate a new deal;
Regardless of what happens next, the UK and companies connected to this space will still need to deal with GDPR. The GDPR after Brexit issue is not going anywhere. Even in the most extreme outcomes, data compliance will still be on the agenda. Let’s take a few examples.
A. GDPR after Brexit with a deal
Within the deal currently on the table, GDPR is also stipulated as a must. If the UK MPs somehow agree on the deal before the 31st of October deadline, then Brexit goes through as planned. GDPR would be part of the deal with the EU, so the current data compliance regulations stay in place. In this case, you have nothing to change: GDPR rules stay in place as they are.
B. GDPR if Brexit is delayed and renegotiated
If the UK MPs ask for a deadline extension to be able to hopefully gain consensus until then, GDPR essentially remains in place. Until the new deal is discussed and agreed upon, the UK does not technically leave the EU. That means all European laws and UK-EU agreements stay the same as they were, including the GDPR, at least for the deadline extension. The political party who initiated Brexit and continues to support it hard says delaying is not an option. But considering that the Parliament can’t seem to reach a consensus on how and when to exit the EU, or even on the idea of exiting at all, a delay is very possible.
C. GDPR after Brexit with no deal (Hard Brexit)
If, let’s say, the UK representatives refuse to comply and accept the deal, this will probably open up a whole can of worms of legal contention. Until the issues are hashed and rehashed through courts, GDPR will become a big question mark. One way or another, as the British minister in charge of data protection, Baroness Neville-Rolfe, has recently said, even if GDPR will no longer apply in the UK, some very similar legislation will need to be instated.
“One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection,” Neville-Rolfe said. “This will be a major consideration in the UK’s negotiations going forward.”
While it’s not clear if the UK will still adhere to GDPR after Brexit, or adhere to a similar framework (such as the Privacy Shield, see below), or submit to being independently evaluated,
Useful Info for a GDPR after a No-Deal Brexit:
- The documents and criteria for the EU’s adequacy decisions (how they decide a country provides adequate data protection and is therefore trustworthy);
- The Privacy Shield Framework: a framework that allows people to transfer their personal data from the EU to the US while maintaining GDPR standards. There is the possibility for the UK to adhere to it or create a similar framework;
- The Official GDPR FAQs – on the main GDPR portal.
There are 5 possible scenarios for a GDPR after Brexit with no deal, depending on your role in the data ecosystem. We’ll tackle each one, but rest assured that the matter of data protection will not return to its pre-GDPR state. Once the world started taking data protection and privacy concerns seriously (and rightly so), there’s no turning back.
Here are the 5 possible scenarios for GDPR after Brexit with no deal:
In all data exchanges, we can speak of data controllers and data processors. Data controllers are the business entities that collect the data of their clients and contacts (often in order to provide them with services) AND decide the purposes for which that data will be processed. Data processors are the business entities that process the data on behalf of a data controller (besides any employees of the controller). Data subjects are the people whose personal data is being processed. We’ve drawn the 5 possible scenarios for a GDPR after Brexit, depending on the role of the business in the data flow.
- Scenario 1: Controllers in the UK, providing services for UK people and entities and sharing no personal data with organizations outside the UK;
- Scenario 2: Controllers in the UK, providing services for the UK but involved with processors in the EU (or anywhere else outside the UK);
- Scenario 3: Controllers in the UK, providing services for people and business entities in the EU;
- Scenario 4: Processors in the UK, acting on behalf of controllers or processors in the EU (or UK and EU);
- Scenario 5: Processors in the UK, acting on behalf of controllers or processors in the UK.
#1. Scenario 1
This scenario is rather simple. Even though there are not a lot of cases like this in real life, since data circulation is never as tightly sealed like this, it has to be covered by any guide. If you’re among the rare few UK controllers who only provide services to the UK and have no exchanges with non-UK processors, you’re lucky. You don’t really need to concern yourself with GDPR after Brexit. The data protection laws you will need to abide by after Brexit are going to be more or less the same as the ones you are used to and will be communicated by UK authorities in due time. It’s highly possible that after the UK leaves the EU with no deal, the controllers doing business solely in the UK will need to comply with the Data Protection Act 2018 (DPA2018) instead of the GDPR. The GDPR stipulations are for the most part already included in the Data Protection Act of 2018, so Brexit will not affect this (even with no deal). In any case, the controllers defined by scenario 1 are the least affected by the GDPR after Brexit issue, because nothing will actually change for them.
#2. Scenario 2
Most small UK businesses fall into this category, of controllers in the UK who are involved with processors outside EU. Basically, anyone who uses international software like Microsoft, Facebook, Dropbox, and so on, can be fitted into this second scenario. Legally, nothing really changes in this case either, because GDPR after Brexit will mean adopting the UK data protection law, DPA2018 (linked above). Since the processors outside the UK will still be compliant with GDPR, there is nothing that hinders these UK controllers from continuing to use their services.
#3. Scenario 3
In scenario 3, the UK controllers are not just working with non-UK processors but they are even serving EU-based clients or having EU offices and so on. In this case, the situation is a bit murkier. The problem is that communicating between various branches and entities involved in the business process might be stalled by GDPR after Brexit. To be proactive about it, you can designate a DPO (Data Protection Officer) in each country you have offices in, and that should cover the conditions imposed by the EU on third countries (which the UK will effectively become). This will solve compliance issues, but be warned that handling GDPR after Brexit in paperwork terms might not be the worst of it. Because of the extra hassle involved, it’s very likely that obtaining more clients in the EU market will be difficult. It will be harder to compete with EU controllers who don’t have post-Brexit ambiguity to sort through.
#4. Scenario 4
After May 2018, all processors in the UK who were working with EU organizations were required to have them sign contracts that stipulated how their data would be handled. The issue here is that those contracts and agreements mentioned the UK as an EU country, which will no longer be true. This means that all this paperwork will need to be redone. It’s best if you are proactive and start sending out the revised forms as soon as the Brexit decision is concluded one way or another. There is the risk that some of your business partners will decline to resign, but you do the best with what you have and move on. Continuing to do business with them in the absence of flawless paperwork is too great of a risk to take.
#5. Scenario 5
For processors in the UK working only with data of people within the UK (and for controllers in the UK), the same applies as in Scenario 1. In other words, nothing changes, there is no extra concern to be had.
Cybersecurity Risks of GDPR after Brexit: A Few Words of Caution
As you can see by now, GDPR after Brexit will bring a lot of paperwork in many cases. Not just paperwork, but also a lot of communications going on with partners across national frontiers. Since these communications will not be your standard run-of-the-mill, since the Brexit situation is new to everyone, this can be a huge opportunity for cybercriminals. Be wary of any email you receive about Brexit and GDPR matters, especially if the sender is prompting you to do something involving vulnerable data. Don’t enter your login details on any page (could be a phishing attempt), don’t engage in conversations with people you don’t really know from before, etc. Business Email Compromise (BEC) is a growing and costly threat. The little chaos which will likely flood everyone’s emails concerning GDPR after Brexit is the perfect opportunity for BEC attacks. Spam filters are not enough to tackle it – you need to do some thorough background checks with every email and to also have an email security solution specially designed to counter BEC attacks.
Wrapping it up
I hope this guide helped clear the confusion surrounding GDPR after Brexit. In any case and however convoluted the Brexit process will continue to be, you should take some steps to prepare for the future. Just look up your own business situation in the scenarios above and find out what can you expect even if we’ll have a no-deal Brexit. Good luck and drop us a line with any concerns you might have.