General Data Protection Regulation and Brexit

The General Data Protection Regulation (GDPR) was adopted on the 14th of April 2016 and entered into force on the 25th of May 2018. The GDPR allows personal information to flow freely in the  European Union (EU) without being subject to any further measures.  However, if the United Kingdom (UK) leaves the EU without a specific  agreement, this information flow will no longer be possible. Despite the  uncertainty surrounding the outcome of Brexit, it is important for data  controllers who transfer data between the UK and the EU to know how  they will be affected.

Which steps should you take?

The Information Commissioner’s Office (ICO), which is the UK  independent regulatory body dealing with data protection, has issued a  document with six steps to be followed by data controllers in preparation for Brexit:

  1. Continue to apply the GDPR rules – most of them will remain the same for the UK after the exit.
  2. If you transfer data from the EU to the UK, think about the  safeguards you can put in place to ensure the flow of data once the UK  is no longer part of the EU (e.g. standard contractual clauses, binding  corporate rules).
  3. If you transfer data from the UK to the EU, these transfers will  fall under the new provisions for transfer and documentation and will not be restricted.
  4. Review your organizational structure, processing activities and data  flows to determine how Brexit will affect the data protection regimes  applicable to you, in particular:
  5. Would you be subject to UK rules, EU rules or both?
  6. Which will be your lead Authority?
  7. Do you need a European Representative?
  8. Review your documentation and identify if any updates are needed.
  9. Involve the key people in your organization and make sure they are aware of all the changes.

It is very likely that the UK government will seek an adequacy decision,  meaning that the EU will recognize the level of protection of personal  data in the UK as equivalent to the one in the EU. However, until this  decision is in place organizations are encouraged to take the steps  above and determine the most appropriate transfer mechanisms.

Obelis at Your Service

If you wish to know more about the General Data Protection Regulation, please do not hesitate to contact us. Obelis Expert Consultants, having nearly 30 years of experience with EU Regulations,  will answer any questions you may have and will gladly assist you in  the process of ensuring the compliance of your data processing  activities and the appointment of a GDPR Consultant.

Get in touch

Efrosina Zhivkova

Regulatory Department