What happens to GDPR when the UK leaves the EC?
(GDPR is dead! Long live the Data Protection Act!)
As the dust settles after the launch of the General Data Protection Act (GDPR) in May 2018, attention is turning to what impact we should expect from GDPR and Brexit.
Our CEO, John Paterson, takes a look at the implications and potential outcomes.
UK companies holding data but not holding data on EC citizens
In the UK, the recently passed Data Protection Act enshrines all the protections offered to EC citizens by GDPR into UK law, plus a few more. If you are a UK company and don’t hold data on EC citizens, you don’t have anything to worry about as long as you are GDPR compliant.
UK companies holding personal data on EC citizens
If you are a UK company and do hold personal data on EC citizens then the data of those citizens will continue to be subject to GDPR, under EC (not UK) law. If you hold data on a lot of EC citizens and don’t have an office within the EC, then you should consider appointing a legal representative in the EC to deal with GDPR issues.
UK companies holding data within the US
Currently, UK companies can hold data within the US under the EC-US Privacy Shield. When the UK leaves the EC this arrangement will cease to exist unless the UK negotiates a similar arrangement between the US and the UK, which it cannot start to do until after Brexit.
There is also the possibility that the Privacy Shield agreement will be struck down by the EC courts for the same reasons that caused the demise of the ill-fated Safe Harbor agreement. Either way, you’ll need to negotiate a new contract with the US processor, so it will be a lot easier if you held the data in the UK or EC.
EC companies wishing to hold data in the UK
As part of the Brexit negotiations it is hoped that the EC will include the UK in the list of countries that have “adequate” data protection and will, therefore, be GDPR compliant. This is likely to be the case as the Data Protection Act has all the GDPR provisions within it.
If for some reason the EC does not immediately add the UK to that list of
countries, most likely because they have bigger issues to deal with, then the UK will be a “third country” in GDPR parlance and companies will have to rely on other legal bases such as Binding Corporate Rules to comply. There are also expected to be transitional arrangements to cover data transfers but, like many other details, we’ll only know what those are nearer the time.
How does this affect me if I’m holding my data in Really Simple Systems CRM?
All Really Simple Systems’ production data is held in the EC, in Belgium, and our support office that processes customer data for import is also in the EC, in Budapest. Because we have an office in Budapest we don’t need to appoint an additional EC-based representative.
From what we know about the Brexit negotiations we will continue to be GDPR compliant without any changes to our data policies or legal agreements. In the unlikely event that the UK exits the EC without mutual recognition of data legislation, we will provide our EC customers with additional legal guarantees that their data stored with us continues to be GDPR complaint.