Data protection: preparing for Brexit
Although there is uncertainty about what arrangements will apply when the UK leaves the EU, there are a number of practical steps that can be taken now to prepare from a data protection perspective and to ensure that any data flows to and from the EU can continue post Brexit.
Although there is uncertainty about what arrangements will apply when the UK leaves the EU, there are a number of practical steps that can be taken now to prepare from a data protection perspective and to ensure that any data flows to and from the EU can continue post Brexit.
- Understand your data flows.
As part of preparing for the General Data Protection Regulation 2016/679 coming into force in May 2018, your organisation will have carried out a data mapping exercise. If this is up-to-date then you will be able to use this to assess to what extent your organisation will be impacted by Brexit. Where this is not up-to-date then this is a good opportunity to review it and update it.
The key is to identify any data flows to and, more importantly, from countries in the EU. Even if you do not think information is being transferred you will need to carefully consider your data processing arrangements and any sub-processing arrangements.
After Brexit, countries in the EU who are transferring personal data to the UK will need to comply with the international transfer provisions in the GDPR, until an adequacy decision is made by the European Commission in respect of the UK. In most cases this will be by using the Standard Contractual clauses.
- Consider whether the territorial scope provisions in Article 3 of the GDPR mean that your organisation will need to appoint an EU representative and , if so, take steps to identify and appoint an appropriate representative.
- Understand what policies, procedures and other documents may need revising following Brexit.
Regardless of the type of Brexit, the Data Protection Act 2018 will remain in force as this is domestic legislation. In terms of the GDPR, the Government has passed regulations that mean the GDPR will be incorporated directly into UK law (becoming the “UK GDPR”) and operating alongside the DPA 2018. If we Brexit with a ‘deal’ then there is likely to be a transition period where the GDPR will apply before we move to fully domestic arrangements. This may potentially allow for more detailed arrangements to be agreed to govern the transfer of data from the EU to the UK. - Maintain a watching brief to ensure that you are aware of important developments and any new guidance that is published.
- Finally, the Information Commissioner’s Office has published guidance to assist organisations with preparing for Brexit, including recent guidance aimed and small and medium organisations. Being familiar with this guidance and following it where appropriate will help your organisation to prepare and ensure you can meet your accountability obligations under the GDPR.
In any event, priority should be given to updating privacy notices and other data subject facing documents so that they can continue to understand how to exercise their data subject rights and to ensure you can continue to demonstrate compliance with your transparency obligations.
Related expertise
You may be interested in...
Press Release
‘Privacy by design’ approach will help health and care organisations gain public trust in using technology as ICO publishes new guidance
Legal Update
Understanding the ICO's new fining guidance
Legal Update
ICO consultation on accessing care records: A legal perspective
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Legal Update
Artificial intelligence – shaping a sustainable future
Press Release
Spring Budget 2024: Browne Jacobson reaction
Legal Update
Not quite a blanket ban on mobile phones in schools: DfE guidance insights
On-Demand - Shared Insights
Shared Insights: Sexual safety in the workplace — how leaders can help to create a sexual safety culture
Legal Update
Progress on the Automated Vehicles Bill
Legal Update
Data protection in higher education: what to expect in 2024
Legal Update
The rise of AI in construction
Legal Update
Government foreshadows significant savings for public bodies as part of data protection overhaul
Legal Update
ICO consultation on transparency in health and social care
Legal Update
How to mitigate risk in disputes arising from AI use in technology projects
Opinion
Monitoring workers – ICO guidance
Legal Update
ICO consultation on fertility tracking apps
Published Article
UK: Legal issues with deepfakes
Legal Update
New guidance for employers on subject access requests published by the ICO
Legal Update
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Press Release
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update
Protecting children and their data in the online environment
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Legal Update
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
Legal Update
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Published Article
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Legal Update
Stemming the tide of data breach claims: good news for data controllers
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
Press Release
Reaction: Supreme Court rules in favour of Google
Legal Update
What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.