After years in flux, Great Britain has formally withdrawn from the European Union. The country's departure is unprecedented and has raised several questions about British compliance with EU regulations — which are still in effect, who is still bound, for how long and more.
One of the biggest questions is how Brexit will impact data protection in the wake of the EU's landmark privacy rule, the General Data Protection Regulation, or GDPR.
Here is how the U.K.'s exit from the EU will intersect with GDPR in the event of Brexit.
Even though the U.K. has formally exited the EU, very few of the expected legal impacts of Brexit will happen right away. Under the terms of the Withdrawal Act 2018, the U.K. is still bound by many EU regulations and granted key freedoms — like freedom of movement — which will stay in place in the near future. Concerning data protection and GDPR compliance, nothing significant will change during the transition period this year, which ends on Dec. 31, 2020.
After that date, the U.K. will become a "third country" under the terms of the GDPR, unless it is deemed adequate by the EU.
If the U.K. becomes a third country, GDPR restrictions will apply to personal data transferred there from the EU. Companies will also need to update their privacy policies to reflect the U.K.'s status.
Classification of "adequate" requires the U.K. to adopt data protection equivalent to those in the EU. Last year, the U.K. accomplished this by folding its own version of the GDPR, the U.K. GDPR, into the Data Protection Act 2018. It's equivalent to the GDPR in all aspects and is expected to effectively harmonize British data regulations with existing EU standards — which should ensure a decision of adequate status from the EU.
If granted, this adequate status could result in a return to business as usual. In this scenario, it's likely that companies in the U.K. won't need to make any changes to their current data collection policies, so long as they're already GDPR-compliant.
At the moment, there is no clear timetable for when the European Commission will make its adequacy decision on the U.K. Current evidence suggests that the commission is preparing to make an adequacy decision before the end of the year. However, there's nothing guaranteeing a timely resolution.
In late February, the European Data Protection Supervisor (EDPS) said there might be "obstacles" in the way of an adequacy agreement and that the EU and U.K. should "prepare for all eventualities." In March, the U.K. government published an explanatory framework that argued in favor of the country being deemed adequate. Rocio de la Cruz, a data protection lawyer, said this was a sign that the UK may still be taking decisions from the EU. Cruz also said she "would not count on being an adequate country by the end of this year."
Even if the EU finds the U.K. standards adequate, it may not be granted that status before the end of the transition period. There could be several months or more after December 31, 2020, where the EU regards the U.K. as a third country.
In any case, U.K. companies continuing to do business in the EU will still be bound by GDPR regulations, just like any company based outside the EU that serves customers in the Union.
Businesses currently bound by GDPR will need to continue following EU data regulations. They should expect that any of the GDPR impacts the company has felt so far will continue. User data will need to be adequately protected, and you will need to ask for prior consent before collecting user data, just as before.
Businesses should, however, prepare for the possibility that the U.K. is not deemed adequate, or that the European Commission fails to update the U.K.'s status to adequate before the end of the transition period. This would result in the U.K. being regarded as a third country, at least for a brief period.
While the U.K. is regarded as a third country, businesses will effectively need to create their own GDPR safeguards and company policies that ensure the proper use and handling of personal data if they want to stay compliant. U.K. businesses will still be subject to fines from the EU if they fall out of compliance with the GDPR, even while the U.K. is considered a third country.
If the U.K. is granted adequate status, businesses will likely feel little difference when it comes to data protection regulation. If not, staying compliant with the GDPR may be a little bit more complicated, with companies needing to put new safeguards and stricter controls in place to ensure the proper processing of data. They will also need to notify their customers of the U.K.'s third country status.
However, disruption from the U.K.'s third country status is expected to be short-lived. The U.K. government and the EU appear to be in total agreement when it comes to standards that businesses should follow to ensure the proper handling of customer data. While Brexit is likely to have major impacts on many different aspects of British business and dealings with the EU, data protections seem to be a settled issue.
AODocs is a content services platform designed to modernize the way businesses work - offering a low code environment to build content-rich applications, powerful automation and workflows, and business applications with comprehensive security and compliance capabilities.
Jenna Tsui is a cybersecurity and technology writer with bylines on sites such as Technology Networks, Uniwebb, Triple Pundit, and more. To read more of her posts, please visit The Byte Beat or follow her on Twitter.