Much discussion of Brexit centres on the trade in goods. If we leave without a deal, will there need to be a hard border in Ireland? Will Kent become a lorry park? What will we be paying in tariffs?
However, a hard Brexit isn’t just about tangible border issues. Britain is primarily a service economy, and this sector of the economy is particularly reliant on the free flow of intangible items between the UK and Europe (or more precisely the EEA – the EU plus Iceland, Norway and Liechtenstein).
Chief amongst these is personal data.
Many businesses use data centres outside the UK, outsource data processing offshore, or share personal data with affiliated offshore organisations.
Many may also have online businesses where they receive personal data from offshore, e.g. they have customers in the EU. The rules applying to such cross-border flow of personal data between the UK and the EEA are currently enshrined in the General Data Protection Regulation (GDPR).
Before Brexit, the UK is part of an EEA-wide free data flow area underpinned by the GDPR. After Brexit, if we leave the EU without a deal addressing such issues, we will be left with a personal data border between the UK and the EU.
After we leave the EU, a UK-specific version of the GDPR (UK GDPR) will apply. Outside the UK, the GDPR as it currently exists will continue to apply in the remaining EU states (EU GDPR).
If we leave without a deal, some surprising consequences will ensue. The immediate result is that the UK will become a “third country” in the eyes of the EU.
This means our data protection law (the UK GDPR) will no longer be considered “adequate” by the EU – at least in the short term. If EU-based organisations want to transfer personal data to the UK (or the UK wishes to import such data), they are likely to need to rely on another legal mechanism to enable such flows to continue.
This would typically take the form of an EU-approved transborder data agreement – so-called “standard contractual clauses” (or SCCs).
It will be permitted to export personal data to the EU as the UK GDPR allows this. However, if you’ve exported it for processing in an EU state, there may be issues in having this data sent back to you if the UK becomes a “third country”.
There are other potential implications, as well. For example, if you sell goods and services to nationals in EU states online, you are also likely to need to comply with the EU GDPR as well as the UK GDPR.
Likewise, if you have an operation (a branch office, for example) in an EU state.
If however you only operate in the UK and are not concerned with transborder data flows, then you can relax.
However, how many businesses will be in this category?
Advising businesses what to do about Brexit without being alarmist is a difficult task. Moreover, the GDPR is a particularly complex area.
Most businesses have already spent much time and effort to comply with the GDPR. Now, there’s the significant risk of additional complexity if free movement of data is to be maintained.
The UK’s Information Commissioner (ICO) is well aware of the issues here and has been providing more and more resources online to help assist businesses.
Their latest guidance is that if the UK leaves the EU without a deal, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same. They also note that:
- If you are a UK business or organisation that already complies with the GDPR with no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance after Brexit.
- If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow after Brexit. As noted above, these additional steps may include cross-border data transfer agreements (SCCs) in the approved form.
- If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may need to designate a representative in the EEA.
Given the current political uncertainty, it is prudent for businesses to plan for a no-deal scenario.
The best place to start is by mapping the data flows between your business and the EU. In light of this, the impact of a no-deal Brexit then needs to be examined.
The ICO has an interactive tool to help with this.
While there may be some work required to enable your business to continue to receive data from the EU, these steps are relatively modest compared to those needed to help ensure free trade in goods after a no-deal Brexit.