Major uncertainties remain around the impact Brexit will have on data compliance requirements. Although we do not know what form Brexit will take, or when the UK will formally depart from the EU, businesses affected by Brexit should familiarise themselves with the major decision points now so that they are able to make appropriate decisions swiftly when the time comes.
Following Brexit, the Data Protection Act 2018 will effectively mirror almost all of the requirements that currently apply under the General Data Protection Regulation (GDPR). As a result, most UK businesses will see little change in their day-to-day data protection compliance obligations following Brexit. However, some changes are inevitable. The key areas of impact are likely to include:
- cross-border data transfers (i.e. transfers of personal data from the EU to the UK are likely to become more difficult, which is potentially further complicated by the pending decision of the Court of Justice of the EU in the Schrems II case);
- applicable law clauses in contracts (i.e. if a business has entered into contracts that state that one or both parties will comply with their obligations under the GDPR, those provisions should be reviewed, in light of the fact that the GDPR will cease to apply to most UK businesses after Brexit); and
- UK businesses that currently benefit from the ‘one-stop-shop’ mechanism under the GDPR (which enables those businesses to primarily deal with the UK ICO as their main regulator for GDPR compliance issues across the EU) will need to reassess whether they can qualify for the one-stop-shop after Brexit, or whether they will need to deal with multiple national regulators going forward.
Tim Hickman, Partner at White & Case LLP discusses these issues and more in an interview with DataGuidance. Watch the video here.