If you’re hoping Brexit means you could forget about GDPR, we’re sorry to disappoint you. You may well have to comply with two almost identical, but slightly different GDPRs. And why? Well, grab a cup of coffee and we’ll take you through Brexit and GDPR, including how Brexit may have multiplied your risk of fines.
And stay with us, because at the end we’ll share a bonus tip that’ll help you win business whatever the situation is in 2021 and beyond.
And you can watch our FREE video: ‘Did Brexit kill GDPR?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
The big question. And the answer is … no, quite the opposite.
OK, maybe a bit too quick! So, let’s go into more detail.
From 25 May 2018, GDPR applied directly in the UK, as it did in all Member States of the EU, with no need for any implementation law.
Hang on – why’ve we got the UK’s 2018 Data Protection Act?
Well, GDPR contains the vast majority of Privacy rules for the private sector, but it doesn’t cover certain areas like law enforcement and national security. So a large part of the UK’s 2018 Act covers those. And GDPR allows Member States to tweak GDPR in certain limited areas and certain limited exemptions, and so the Act covers those too.
The UK left the EU and the EEA on 31 January 2020. The rest of 2020 was agreed as a transitional period, where basically EU laws apply and, for our purposes, EU GDPR still essentially applies directly through 2020 and we’re still treated as a Member State for data transfers.
OK, so the EU GDPR is still direct UK law, effectively, up until the end of 2020. What then? Well, from 1 January 2021 there’s a new phase. It’s a little bit complex, so we’re going to break it down.
The EU GDPR will no longer be direct law in the UK as from 1 January 2021. But, until there’s a European ‘adequacy decision‘ in favour of the UK, the UK has to continue applying the EU GDPR to all personal data that we’ve received from the EEA and been processing prior to 31 December 2020. This previously transferred-in data is called ‘stock data’ by the government, but we’ll call it ‘Legacy EEA Data‘, we think it’s a bit clearer.
Think of it this way: the point of EU GDPR was to protect individuals by protecting their personal data. If a country could just leave Europe and drop all those protections, well, that wouldn’t be acceptable. So this deal means that that EU GDPR protection continues for Legacy EEA Data until the UK has shown that it offers an adequate level of protection. Now, this could still change – it’s still only May 2020 at the time of writing and we could get an adequacy decision by the end of the year.
An ‘adequacy decision’ is when Europe decides the third country, like the UK, provides adequate protection so that personal data can be transfered to that country without it losing all the protections that are under the GDPR. There’s no adequacy decision for the UK as at 7 May 2020 and there’s no certainty we’ll have one by the end of 2020. But both the UK and the EU really want to have it in place, given its importance, so it’s likely to happen, if not then, some point soon after.
And from 1 January 2021, there’ll be a UK GDPR!
We’ve already passed the necessary laws to adopt the EU GDPR as the UK GDPR with minimum changes – pretty well crossing out EU and writing in the UK. Here’s a screenshot of the changes to the UK 2018 Data Protection Act:
And here’s a screenshot of the changes to the EU GDPR to make it the UK GDPR. You can see it’s just that – everything in the EU GDPR, in terms of processor obligations, transfers, etc are all still there:
So, in summary:
We’ve seen Brexit certainly didn’t kill GDPR – it’s split it into two.
We’ll look at the practical effects in another blog and video, but if you’re in good shape for compliance with the EU GDPR you’re going to be in good shape for compliance with the UK GDPR and any task list you’ve already got is going to apply as well. Obviously, there are some changes.
But what’s this mean to you? Well, if you’re a UK organisation and you absolutely haven’t interacted with Europe in any way and aren’t going to interact with Europe in any way, it may well be you’re just going to be covered by the UK GDPR.
But if you have been dealing with Europe or you continue to deal with Europe, maybe you’ve got a subsidiary there, you sell to individuals there, you monitor individuals there, then there’s a very good chance you’re going to be subject to both the UK GDPR and the EU GDPR.
And for people who are outside the UK and the EEA anyway, so for example the USA, you’re going to have to look at the two territories separately, EEA and the UK, and you’re going to have to comply with both GDPRs potentially.
Let’s come to that Bonus Tip and – really, it feels like we could do with one, so let’s have a few.
#1 Principles-based: From the start, make sure that your Privacy Governance is principles-based. Whether that’s the EU GDPR principles or UK GDPR principles, they’re absolutely identical to start with. And that means that all of your Privacy Framework you put in place, all your checklists, all the training and awareness, all the reporting you’re building out, will apply to both, obviously you’ll need to tweak certain areas.
#3 Transfers: And another tip is to prepare for no adequacy decision by the end of 2020 by having what’s called the Standard Contractual Clauses approved by Europe ready to go where you need them. Maybe you’re a UK processor for a customer in the EEA. These you can’t negotiate anyway, they’re easy to put in place. Obviously you’ve got to be able to comply with them, which we’re sure you will because you’re complying with GDPR anyway – but you literally just fill in the blanks, describe your security measures – and that exports the EU GDPR with that data to you. So again, you’re going to be subject to GDPR effectively for that transferred data to you.
There you go – a quick run through Brexit and GDPR and you’ve probably not finished your coffee. You can see it’s more important than ever to have a principles-based Privacy Governance in place – which Keepabl can help you with, do ask us how we can help.
And please do use #privacykitchen to tell us the topics and the questions you want us to cover.
Stay well in the meantime, and see you in Privacy Kitchen soon!
The DPO as Strategic Business Partner Watch Part 2 on DPOs with Tom McNamara! Having comprehensively covered DPOs & Conflict in the first of two Privacy Kitchen sessions, we’re delighted…