GDPR and Brexit

Many debates discuss whether a “hard Brexit”, meaning the rejection of close alignment including single market and customs union with the EU, would be the only possibility for the UK’s exit. However, in terms of GDPR the exit may trigger other factors.

Regardless of the cogitation whether a “hard Brexit” could be avoided through new negotiations, the parties must prepare for the coming scenario; a “hard Brexit” has conceivably broad data protection implications on dataflows, processes, and documentation.

Companies inside the EU that continue to operate in the UK as joint-ventures, or that have parts of their supply chain or IT-supported processes there (e.g., data centers, branches) or that must in any way continue to exchange data with the UK would be among the most affected.

Even if the solution is another negotiated exit, it would still have broad implications, as it is still not clear to what extent the UK would continue to comply with the guidelines of the EU General Data Protection Regulation (GDPR) or if an adequacy decision between the EU data privacy legislation and a new law for the UK would unfold.

As the 29thof March 2019 quickly approaches, so does the possibility of the UK becoming a “Third Country” after leaving the EU in matters concerning the GDPR.

Consequently, we can assume that entities in the EU transferring data into the UK will have to follow new rules on data privacy and will have to adapt the necessary documents.

The GDPR information sheet on data processing and privacy policy of a website according to Article 13 Paragraph 1 Section f. or Article 14 Paragraph 1 Section f. determines that a Third Country should be informed about data transfer
If an affected person exercises his or her right of access to information, the affected person shall be entitled to obtain information also from Third Countries (according to Article 15 Paragraph 1 Section C Paragraph 2)
In the directory of processing activities, data transfers in Third Countries should be specifically defined as such and further information on this topic should be also indicated (Article 30 Paragraph 1 Section e and Article 30 Paragraph 2 Section c)
If necessary, Data Privacy Impact Assessments (DPIAs) should be carried out or reviewed also in the United Kingdom given its status as a Third Country (Article 35)

With a team comprised by experienced data security experts and certified data security auditors, Natuvion can help you with the analysis of data flows with the UK and the adaptation of the data transfer directory and processing activities. We also answer legal questions regarding data transfers in doubtful third countries with the support of our partner, the legal office SKW Schwarz Munich.