Legal Articles

GDPR and Brexit

Home / Knowledge base / GDPR and Brexit

Posted by Lindsay Ellis on 27 February 2019

Lindsay Ellis Partner - Head of Commercial

The introduction of the General Data Protection Regulation in May 2018 introduced a number of changes and reinforced a number of existing requirements relating to the processing of personal data.

The GDPR applied to all EU Members from May 25 and in the UK, it was automatically incorporated into national law by the European Communities Act.

When the UK leaves the EU, the European Communities Act will be repealed, however, the GDPR will become part of national law in the UK.

The need for a positive adequacy decision

Brexit may, dependent upon the basis on which the UK leaves the EU, have an impact on cross border transfer of personal data.

Up until March 29th, personal data can be transferred between EU members, including the UK. Assuming a withdrawal agreement is agreed, this is likely to remain the case until the end of the transition period, which is expected to be December 31st 2020.

From there (or in the absence of a deal), a lot will depend on whether the UK can secure an Adequacy Decision from the EU, confirming that an adequate level of protection of personal data is guaranteed by the regulations we have put in place.

Whilst the UK has implemented the GDPR, there is no guarantee that an Adequacy Decision will be made in our favour.

The European Commission has stated that it will endeavour to adopt a decision relating to the UK’s adequacy by the end of 2020 but only if ‘the applicable conditions are met’.

It should also be noted that the UK’s use of mass surveillance has led to some EU member states raising concerns about data protection regulation in the UK meeting the EU’s requirements.

An Adequacy Decision in favour of the UK would simplify the position on cross border data transfers post Brexit, but it is not a foregone conclusion.

Leaving the EU without an adequacy decision

For businesses operating in the UK, outbound international transfers of personal data will be subject to the GDPR as UK domestic law.

The guidance offered in the event of a No Deal proposes that the UK Government would implement regulations to transitionally recognise all European Economic Area countries as ‘adequate’, thereby permitting data transfers to continue.

For businesses operating in an EU member state, the UK’s status as a ‘third country’ would mean that under the GDPR adequate safeguards would need to be implemented for any inbound transfers of personal data from the EU to the UK.

About the author

Lindsay Ellis

Partner - Head of Commercial

Lindsay advises on outsourcings, procurements and commercial contracts.

Lindsay Ellis

Lindsay advises on outsourcings, procurements and commercial contracts.

Recent articles

03 June 2020 Why use lawyers to draft your will or administer an estate?

In theory, drafting your own will using an off-the-shelf template, purchased online or from good stationers, can be a quick and easy way of leaving instructions on how you want your assets to be distributed after your death. Nonetheless, a will is a legal document and if it has been incorrectly worded and / or witnessed it may be invalid, meaning your estate would pass in accordance with the rules of intestacy (government provisions setting out how an estate should be divided if there is no will).

Read article
03 June 2020 Covid-19: a tour de force of force majeure?

In the following article, UK supply chain and logistics consultant, Paul Trudgian, and logistics law firm, Wright Hassall LLP, consider the impact of Covid-19 on the logistics industry. At the time of writing, we are now into week ten of lockdown and, by now, it is likely you will have read an article or two about the possibility of using force majeure to excuse non-performance of obligations due to Covid-19.

Read article
03 June 2020 Good markets hiding bad advice

Welcome to Wright Hassall’s podcast on “Good Markets Hiding Bad Advice”.

Read article
How can we help?
01926 732512