How will Brexit affect data protection?

November 30, 2020
Tim Heywood


Zum Profil

In the latest of our series of articles on Brexit and the changes we can expect come 1st January 2021, Partner Tim Heywood looks at the implications and considerations for data protection.

As if managers and business leaders did not have enough on their hands, 31st December is the deadline for taking some important legal compliance and enterprise level risk- management steps.

From the data protection and information governance perspectives, here are five issues to be getting on with…

  1. If your business is going to be processing personal data relating to people in the EEA, or if you will be profiling people in the EEA for sales purposes, you need to have identified a representative in the EU to act as the point of contact for complaints and your dealings with the relevant supervisory authority (ie the ICO equivalent in an EU Member State);
  2. If your business routinely transfers personal data to the USA from an EEA country and you want to rely on Binding Corporate Rules (BCR) to replace the Privacy Shield for intra-group transfers, you will need to ensure your BCR has been approved by the relevant supervisory authority;
  3. If your business routinely transfers personal data from the EEA to the USA and you are relying on the use of Standard Contract Clauses (SCC) to achieve equivalent protections for your data subjects. Our experience is that US providers, large and small, are adopting a variety of different approaches to the loss of the Privacy Shield in EEA/USA transfers. You will need to have carried out some form of audit or due diligence with your USA recipient so that you have not just relied on the wording of the SCC but have delved deeper into how the recipient will actually deliver on their contractual data protection promises.
  4. If the UK reaches the end of the year without a new, managed medium or long term agreement with the EU you will need to ensure you can comply with the terms of the Withdrawal Agreement. This says (essentially)  that the GDPR must still be applied in relation to personal data collected before 31st December 2020 if the data subject is in the EEA. Are you able to identify and demonstrate which data was obtained before and which was obtained after the 31st December?
  5. Digital Signatures rules might also change, if only because they are largely derived from EU law. But it is likely that the UK will adopt something very close to the current electronic signatures regulations in order to avoid unnecessary barriers to cross border trade and to facilitate the recognition of validly signed e-contracts.

All these issues show how important it is to stay abreast of developments in the EU/UK negotiations, as the end of the year approaches and as the shape of our future trade arrangements finally becomes clearer.

Tim Heywood is a Partner in gunnercooke llp specialising in data protection, information law and cybersecurity law. He also advises clients on public and administrative including Brexit and Covid 19-related legislation.