open search
close
Internationales Arbeitsrecht United Kingdom

UK: No deal #Brexit and data protection

Print Friendly, PDF & Email
Brexit

This article discusses the impact of a no deal Brexit on data protection issues for businesses transferring data to or from the UK and how they should prepare for this possibility. With the Brexit D-day of 29 March looming, organisations have asked us to help prepare a Brexit Data Response Plan in case of a potential no deal Brexit. Building on the UK Information Commissioner’s Office (ICO); and Department for Digital, Culture Media & Sport (DCMS) Guidance Notes, we provide below some data protection considerations and sensible actions to take to ensure that your organisation’s data governance is ready.

What will not change?

GDPR
General Data Protection Regulation 2016/679 (GDPR): Businesses should continue to maintain compliance with GDPR standards, as GDPR will still be applicable through the UK.

PECR and NIS
Both Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and Network and Information Systems Regulations 2018 (NIS) will continue to apply.

Data transfers from the UK to the EEA
The UK will still recognise transitionally all EU and EEA countries and Gibraltar as ‘adequate’, all EU adequacy decisions in relation to third countries, and the EU model clauses (SCCs), as providing ‘adequate’ protection for data flows out of the UK.

Data transfers from the UK to the US
The UK will still recognise the EU-US Privacy Shield, provided that US organisations comply with new guidance set out on the US Government’s Privacy Shield website, which requires amending public commitments applicable to transfers of personal data from the UK.

Binding Corporate Rules for data transfers (BCRs) 
There is continued recognition by the ICO of BCRs that have been authorised before Brexit.

What will change?

Data transfers from the EEA to the UK
The UK will be considered a ‘third country’ by the EU and no ‘adequacy’ decision by the EU Commission will apply. Data transfers from the EU to the UK will need to be subject to the same ‘appropriate safeguards’ (e.g. the use of SCCs) that apply to other third countries.

Appointing an EU or a UK representative
Controllers or processors based outside or inside the EEA may need to appoint a representative in the UK if they offer goods or services to, or monitor the behaviour of, UK individuals. Equally, any UK-based controller or processor without a presence in the EEA, targeting EEA individuals, may need to appoint an EU representative.

Binding Corporate Rules (BCRs) for data transfer
Existing BCRs certified by the ICO may not be recognised by the EU supervisory authorities, affecting data transfers from the EEA to the UK.

One-Stop Shop and Lead Supervisory Authority (LSA)
The ICO can no longer act as a LSA. UK-only based organisations, or those only present in the UK plus one EU country, may no longer have access to the one-stop-shop mechanism.

Organisational awareness
Company boards need to empower the legal team, the compliance team and/or DPOs to ensure that plans and budgets are allocated to the Brexit Data Response Plan.

Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

The general public's enthusiasm for artificial intelligence (AI) technologies is making its way into the workplace.

While AI offers many advantages, employers must remain aware of the risks that a lack of supervision can generate.  Avoiding discrimination Discrimination is one of the risks most feared by the intrusion of AI into decision-making processes, particularly in terms of recruitment and candidate selection. Failure to comply with non-discrimination rules exposes the employer to various risks, ranging from the invalidity of the decision in…
Internationales Arbeitsrecht Neueste Beiträge

Can employers monitor their employees’ social media posts?

Increasingly, employers are being made aware of employee misconduct that is evidenced by photos, videos or other social media posts. What are employers allowed to do when it comes to their employees‘ posts, what are the limits, what should they bear in mind when using these posts? Here we consider the situation in Germany, with comments from our experts in 19 other jurisdictions. Employee posts…
Brazil Internationales Arbeitsrecht Neueste Beiträge

Data protection in Brazil: what to expect this year

In 2023, the Brazilian General Data Protection Law (LGPD) celebrates five years since its publication. Since its entry into force in 2020, the LGPD has come a long way, but there are several legal issues relating to the protection of personal data that still need further refinement.  Brazilian Data Protection Authority Among the main changes since the enactment of the LGPD has beenthe change in…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

 

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert