Legal Articles

GDPR and Brexit

Home / Knowledge base / GDPR and Brexit

Posted by Lindsay Ellis on 27 February 2019

Lindsay Ellis - Business and Commercial Lawyer
Lindsay Ellis Partner - Head of Commercial

The introduction of the General Data Protection Regulation in May 2018 introduced a number of changes and reinforced a number of existing requirements relating to the processing of personal data.

The GDPR applied to all EU Members from May 25 and in the UK, it was automatically incorporated into national law by the European Communities Act.

When the UK leaves the EU, the European Communities Act will be repealed, however, the GDPR will become part of national law in the UK.

The need for a positive adequacy decision

Brexit may, dependent upon the basis on which the UK leaves the EU, have an impact on cross border transfer of personal data.

Up until March 29th, personal data can be transferred between EU members, including the UK. Assuming a withdrawal agreement is agreed, this is likely to remain the case until the end of the transition period, which is expected to be December 31st 2020.

From there (or in the absence of a deal), a lot will depend on whether the UK can secure an Adequacy Decision from the EU, confirming that an adequate level of protection of personal data is guaranteed by the regulations we have put in place.

Whilst the UK has implemented the GDPR, there is no guarantee that an Adequacy Decision will be made in our favour.

The European Commission has stated that it will endeavour to adopt a decision relating to the UK’s adequacy by the end of 2020 but only if ‘the applicable conditions are met’.

It should also be noted that the UK’s use of mass surveillance has led to some EU member states raising concerns about data protection regulation in the UK meeting the EU’s requirements.

An Adequacy Decision in favour of the UK would simplify the position on cross border data transfers post Brexit, but it is not a foregone conclusion.

Leaving the EU without an adequacy decision

For businesses operating in the UK, outbound international transfers of personal data will be subject to the GDPR as UK domestic law.

The guidance offered in the event of a No Deal proposes that the UK Government would implement regulations to transitionally recognise all European Economic Area countries as ‘adequate’, thereby permitting data transfers to continue.

For businesses operating in an EU member state, the UK’s status as a ‘third country’ would mean that under the GDPR adequate safeguards would need to be implemented for any inbound transfers of personal data from the EU to the UK.

About the author

Lindsay Ellis

Partner - Head of Commercial

Lindsay advises on outsourcings, procurements and commercial contracts.

Lindsay Ellis

Lindsay advises on outsourcings, procurements and commercial contracts.

Recent articles

08 July 2020 Paying employees statutory sick pay (SSP)

A common question asked to employment lawyers, is around the details of the statutory sick pay (“SSP”) scheme

Read article
08 July 2020 Procedure for disciplinary investigations and disciplinary hearings

In order to mitigate against an employee being able to bring a successful unfair dismissal claim or wrongful dismissal claim against their employer in relation to a misconduct sanction/ dismissal, the employer must follow the correct procedure in relation to disciplinary investigations and disciplinary hearings.

Read article
07 July 2020 Business interruption insurance; FCA latest

The insurers have now filed their defences to the FCA’s claim and the FCA has today filed its reply.

Read article
How can we help?
01926 732512