Government updates GDPR for a "No Deal" Brexit

Published on Thursday, December 13, 2018 - 20:05 by Peter Galdies

The ICO has issued guidance on how organisations can start preparing for data protection compliance if the UK should leave the EU on 29 March 2019 with a "no deal" Brexit.

On the same day the Department for Digital, Culture, Media & Sport (DCMS) has also revealed plans for legislative changes to ensure the UK data protection framework continues to operate effectively when the UK is no longer an EU Member State.

The Government will make appropriate changes to the GDPR and the Data Protection Act 2018 that will:

  • Preserve EU GDPR standards in domestic law
  • Transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue
  • Preserve the effect of existing EU adequacy decisions on a transitional basis
  • Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses
  • Recognise Binding Corporate Rules (BCRs) authorised before Exit day
  • Maintain the extraterritorial scope of the UK data protection framework
  • Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale

These steps appear to be designed to provide straightforward path to negotiating an adequacy arrangement, however in the interim those organisations that have data flows from the EEA to the UK will be affected and for these the ICO's guidance is recommending the use of  Standard Contractual Clauses.

UK based organisations should review the structure of their European operations to understand if they will be able to continue to benefit from the One-Stop-Shop. If not they may find themselves dealing with both the ICO and the supervisory authority in the other EU or EEA state where they are established.

Should a "no-deal" Brexit comes to pass then the ICO will no longer be a supervisory authority for the purposes of the EU GDPR and so will not be an EDPB member. However, the ICO has made clear that it wishes to retain a strong relationship with the EDPB after exit - and the EDPB is very likely to want to reciprocate as currently the UK shoulders much of the work that is undertaken by that body.

You can read the proposed regulatory changes published by the DCMS here and the "No Brexit Deal" ICO guidance here.

"No-deal" Brexit and Privacy Regulation