Legal Articles

GDPR and Brexit

Home / Knowledge base / GDPR and Brexit

Posted by Lindsay Ellis on 27 February 2019

Lindsay Ellis - Business and Commercial Lawyer
Lindsay Ellis Partner - Head of Commercial

The introduction of the General Data Protection Regulation in May 2018 introduced a number of changes and reinforced a number of existing requirements relating to the processing of personal data.

The GDPR applied to all EU Members from May 25 and in the UK, it was automatically incorporated into national law by the European Communities Act.

When the UK leaves the EU, the European Communities Act will be repealed, however, the GDPR will become part of national law in the UK.

The need for a positive adequacy decision

Brexit may, dependent upon the basis on which the UK leaves the EU, have an impact on cross border transfer of personal data.

Up until March 29th, personal data can be transferred between EU members, including the UK. Assuming a withdrawal agreement is agreed, this is likely to remain the case until the end of the transition period, which is expected to be December 31st 2020.

From there (or in the absence of a deal), a lot will depend on whether the UK can secure an Adequacy Decision from the EU, confirming that an adequate level of protection of personal data is guaranteed by the regulations we have put in place.

Whilst the UK has implemented the GDPR, there is no guarantee that an Adequacy Decision will be made in our favour.

The European Commission has stated that it will endeavour to adopt a decision relating to the UK’s adequacy by the end of 2020 but only if ‘the applicable conditions are met’.

It should also be noted that the UK’s use of mass surveillance has led to some EU member states raising concerns about data protection regulation in the UK meeting the EU’s requirements.

An Adequacy Decision in favour of the UK would simplify the position on cross border data transfers post Brexit, but it is not a foregone conclusion.

Leaving the EU without an adequacy decision

For businesses operating in the UK, outbound international transfers of personal data will be subject to the GDPR as UK domestic law.

The guidance offered in the event of a No Deal proposes that the UK Government would implement regulations to transitionally recognise all European Economic Area countries as ‘adequate’, thereby permitting data transfers to continue.

For businesses operating in an EU member state, the UK’s status as a ‘third country’ would mean that under the GDPR adequate safeguards would need to be implemented for any inbound transfers of personal data from the EU to the UK.

About the author

Lindsay Ellis

Partner - Head of Commercial

Lindsay advises on outsourcings, procurements and commercial contracts.

Lindsay Ellis

Lindsay advises on outsourcings, procurements and commercial contracts.

Recent articles

25 September 2020 Extension of the temporary provisions contained within the Corporate Insolvency and Governance Act 2020

On 24 September 2020 the government announced an extension to the temporary provisions contained within the Corporate Insolvency and Governance Act 2020 (CIGA 2020).

Read article
24 September 2020 Chancellor unveils new Job Support Scheme

Chancellor Rishi Sunak has just announced in the House of Commons, a successor to The Coronavirus Job Retention Scheme, (the “Furlough Scheme”) which, it has been confirmed, will end on 31 October 2020 as planned.

Read article
24 September 2020 Practical considerations for exiting lockdown successfully - CWCC Chamber Live Webinar Notes - 24 September 2020

An overview of practical considerations for directors and companies on exiting lockdown successfully.

Read article
How can we help?
01926 732512