The most significant confusion that firms will face post-Brexit will be regarding the smooth adoption of the new national GDPR policies.
With another Brexit extension coming in, firms are struggling to understand how to prepare themselves and their employees for adopting the new GDPR in their existing operations. Firms need to invest in analyzing the data flows to understand what precautions to take to avoid any unexpected data security consequences of Brexit. Analyzing or forecasting this is complicated as the ways of dealing with “deal/no-deal’ situations are different.
The first rule that a third country needs to follow is that they can do a ‘data deal’ or an ‘adequacy decision’ with the EU for sanctioning transfers of consumer data of Europeans to other countries without placing further safeguards. Israel, Jersey, Andorra, Argentina, Guernsey, New Zealand, Switzerland, and Uruguay have full adequacy decisions in place. And, countries like Canada, Japan and the USA follow partial arrangements.
Read more: Asia looks on the Bright side of Brexit
After Brexit, the UK will immediately implement a UK version of the GDPR called the UK GDPR. The UK GDPR will be substantively the same as the GDPR, and firms will need to apply all the same principles of operation as before. If Brexit gets done on the terms of the current draft of the ‘deal scenario,’ the UK GDPR will be considered adequate by the EU. In this case, the data flowing from the EU to the UK will not require any additional safeguards.
The UK Government has also confirmed that the UK GDPR will recognize the adequacy decisions of the EU. The GDPR itself will be considered adequate enough with no additional safeguards required for the flow of data outside the UK. So, in a ‘Deal’ scenario, data flowing in either direction will be protected with an adequacy decision in place.
In a ‘No Brexit Deal’ scenario, the UK Government has to recognize the adequacy decisions of the EU, considering the EU GDPR adequate for data flowing from the UK. The UK Government is in favor of reviewing this policy with the possibility that a subsequently negotiated trade agreement might create a different policy.
In a ‘No-Deal’ scenario, the withdrawal agreement will require alterations to remove the agreements relating to personal data. An adequacy decision will not cover the data flowing from the EU into the UK for processing. Probably, an adequacy decision will eventually be implemented as a part of the broader trade discussions later.
Further rules about safeguarding personal data to the European standard will be created based on the standard contractual clauses. Such clauses must be inserted without modification into the contract between the Europe-based data providers and the UK-based data recipient.
One primary consideration for UK-based firms is whether they need to appoint a European representative acting on their behalf to resolve matters related to data protection in Europe. Post-Brexit, UK businesses processing personal data of European consumers, lacking a legal presence in the EU, will need to appoint a representative.
Firms need to step forward to understand how data flows across the EU and consider incorporating the standard contractual clauses into their contracts related to personal data. Without such strict clauses, Europeans may legitimately refuse to share personal data with UK firms, and this may delay services or bring an abrupt end to business relationships.