Brexit and Data protection - an update | DMA

Filter By

Show All
X

Connect to

X

Brexit and Data protection - an update

T-dma-brexit-logo10-3.png

Brexit and Data protection – an update

While the DMA continues to lobby all stakeholders to take a no deal Brexit off the table, we are conscious of the need to advise DMA members and others to take action now to prepare for the possibility of a no deal Brexit. The default position at the time of writing this article (18 March) is that the UK will leave the EU at 11:00 pm UK time on 29 March 2019 with or without a deal.

Although the Commons voted on Wednesday 13 March to take no deal off the table the necessary amendment to the UK EU Withdrawal Act has not been passed. The Commons motion passed did not amend the legislation. There is likely to be a third meaningful vote on the current draft of the EU-UK Withdrawal Agreement in the Commons during the Parliamentary week beginning Monday 18 March before the European Council Summit on Thursday 20 March. If the current draft of the EU-UK Withdrawal Agreement is approved by the Commons at the third attempt, then the UK Government may ask for a short extension from the 29 March to 30 June to enable the necessary legislation to be passed.

All 27 Member States of the EU would have to agree unanimously to such an extension, so an extension is not guaranteed. If the Government loses the third meaningful vote then it may ask the EU for a long extension, possibly for a further two years. If there is a long extension then it is likely that there will be a series of indicative votes in the Commons on various options, such as a second referendum, to determine how to proceed.

Brexit will not make a difference to the implementation of the GDPR into UK domestic law as the Data Protection Act 2018 will remain in full force and effect. The Government has produced draft legislation to make the necessary consequential amendments to the Data Protection Act 2018.

We know that the UK will become a third country for data protection purposes outside the EU but we do not know the date. A third country in data protection terms means that the country is outside the area in which personal data can be freely transferred from/to the European Economic Area (the remaining EU Member States after Brexit plus Iceland Lichtenstein and Norway) and that country without any additional measures to protect the personal information under EEA law.

However, there are steps which organisations can take now to prepare for the date when the UK becomes a third country. Any preparatory work will still be valid regardless of the date when the UK becomes a third country for data protection purposes. At the time of writing (18 March 2019) there are a number of possible dates when the UK will become a third country for data protection purposes outside the EU. These include the following:

1) 29 March 2019 in the case of a no- deal Brexit

2) 30 June 2019 or another date if the EU grants an extension to enable both the EU and the UK to make the necessary legal arrangements for a no deal Brexit

3) 31 December 2020 if the current draft as at 17 March 2019 of the EU- UK Withdrawal agreement is ratified by UK and EU institutions.

4) 29 March 2021 if the UK asks for a long extension and the EU grants this long extension

Organisations who transfer personal data out of the UK or to the UK need to be taking the following steps now:

1) Ensure that key staff in your organisation are aware of the issues in the same way as they were for GDPR implementation.

2) For UK based organisations review your organisation’s data flows and identify if it receives personal data from EEA countries and or third countries and transfers personal data to EEA Countries or third countries. You may be able to reuse work you carried out for GDPR implementation to help you. If the answer is yes then you will need to read the detailed guidance note.

3) For EEA based organisations, review your organisation's data flows and identify it received personal data from the UK and or third countries and transfers personal data to the UK or third countries. You may be able to reuse work you carried out for GDPR implementation. If the answer is yes then you will need to read the detailed guidance note.

Hear more from the DMA

Please login to comment.

Comments