A tale of two GDPRs: the data protection implications of Brexit

EU jigsaw with Britain missing

When the UK left the EU on 31st December 2020 it signaled the arrival of a number of changes – new European travel rules, a new immigration system and return of Duty Free shopping (hurrah!) to name but a few. For businesses – based in the UK, the EEA and the rest of the world – the main issue is trade and how to ensure that the flow of goods and services is as pain-free as possible. Companies also need to be aware that along with customs declarations, border checks and restrictions on certain animal food products, Brexit also brings some crucial changes to the laws and rules relating to data protection. 

Here’s our quick guide:

And then there were two…
As if one GDPR wasn’t enough to contend with, since the UK left the EU on 31st December 2020, a second, UK version has come into effect. 

  • The original GDPR will continue to apply to the EU member states. This will be known – in the UK – as the “EU GDPR”. 
  • In the UK, a new “UK GDPR” has come into force, which will effectively mirror the EU GDPR in almost all respects, except for some minor tweaks to make it UK-specific. 

This means that: 

  • UK-based businesses will need to comply with the UK GDPR 
  • UK-based businesses that offer goods or services to, or monitor the behaviour of, individuals in the EEA will, in addition, need to comply with the EU GDPR 
  • Any EEA-based business will need to comply with the EU GDPR 
  • Any non-UK businesses that offer goods or services to individuals in the UK or that monitor those individuals’ behaviour will in addition, need to comply with the UK GDPR 

For example, if you’re an ecommerce business based in the UK that offers goods/products to consumers in the EU you will need to comply with both the UK GDPR and the EU GDPR.

On the surface this sounds quite complicated. But initially it shouldn’t pose too much of a problem. The UK GDPR and the EU GDPR are, to all intents and purposes, identical. However, as time goes by, differences may emerge and organisations will need to ensure that they are compliant with both.

In addition to the GDPRs, there are of course other data protection laws, in particular the ePrivacy Directive (in the UK the Privacy and Electronic Communications Regulations (PECR). These laws will continue post-Brexit, but at some point, the EU will introduce a new law – the ePrivacy Regulation. When that eventually arrives, (it has been much delayed), it will not apply to the UK. This means that there are likely to be significant differences between the respective ‘cookie laws’ and the rules regarding email marketing in the UK and the EU.

International data transfers 
Although the Brexit deal allows personal data to continue to flow freely between the EU/EEA and the UK (for up to the next six months), data transfers to countries outside of those areas remain challenging – both for organisations in in the UK and the EU/EEA. 

Both the ICO and the government have issued statements recommending that organisations put in place alternative transfer mechanisms “to safeguard against any interruption to the free flow of EU to UK personal data”. 

We’re therefore advising our clients to identify all of their personal data transfers – such as contracts they may have with third parties that result in personal data being sent to, or accessed from, another country – and to segment them into data transfers between the UK and the USA, and between the UK and the rest of the world. These transfers will need to be reviewed and potentially updated in order to remain compliant with the rules regarding international data transfers. 

Appointing EU/UK representatives 
If an organisation is required to comply with the EU GDPR as well as the UK GDPR, but does not have an EU presence, then it will need to appoint an EU representative to deal with EU-based data protection regulators on behalf of the EU-based individuals whose personal data you process. 

Similarly, non-UK organisations located in the EU, but without a UK presence will need to appoint a UK representative. 

Once again, this sounds like a complicated undertaking, but is relatively straightforward with the right data protection specialist to support you. 

Data protection-related documentation 
Many organisations will have to make updates to their data protection-related documentation – most notably, privacy notices (policies), data-processing addenda and similar contractual arrangements, as well as internal policies and records. 

Below are some of the key issues that should be considered when reviewing existing contracts and negotiating new agreements: 

  • References to the EU or the EEA: Check all references to the EU or the EEA carefully. It is likely that any reference to the EU or the EEA will need to be extended to expressly include or exclude the UK. 
  • References to EU legislation and EU regulators: Watch out for any references to EU legislation. Most EU legislation up to 31 December 2020 will form a part of “retained EU law” and will therefore apply in the UK after the end of the transition period. Unless the parties are required to comply with the original EU law, it will be best practice to amend any references to EU legislation to refer to the EU law as preserved in or converted into UK domestic law. Review all references to EU institutions and EU regulators. Ensure they are amended to refer to the domestic succeeding institution or regulator unless reference to the EU equivalents remains relevant. 

The Brexit agreement specifically states that both the UK and the EU “affirm their commitment to ensuring a high level of personal data protection” and a willingness “to work together to promote high international standards”. This seems to quash the possibility of the UK lowering its data protection standards. 

There are also provisions that state cross-border data flows should not be restricted between the EU and the UK by requiring the localisation of data in a party’s territory for storage or processing. 

Although the intention appears to be for the UK and the EU to ensure that their respective data protection laws are as consistent as possible, we cannot escape the fact that these economic and political divides exist. Which means that things can change, and most likely will in the fullness of time. In order to abide by these laws, organisations must first ensure that they know what these changes are, that they understand them fully and that they have the skills and expertise to make the necessary adjustments to their policies and procedures. 

Specialist data protection services such as those provided by norm. can help with this.

This advisory, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. 

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection offering and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.