Summary: No. By complying with the GDPR, UK organizations will be in compliance before and after Brexit.
- Brexit Day is on March 29, 2019
- Brexit will not effect UK organizations as there is a UK-specific version of the GDPR, DPA 2018
- The UK still needs to negotiate terms on transferring of EU personal data
Article excerpts from a forthcoming book – 99 Articles on the GDPR
It may have been heartbreaking to hear the news of the United Kingdom’s decision to leave the European Union. By now it comes as no surprise that the citizens voted to leave the EU by Friday, March 29, 2019. As part of the separation, both parties will need to address issues of the past and how future relations will be handled. However, some areas of focus such as data privacy and protection are still to be determined. Although, it is clear that Theresa May was in support of the exit when she stated: “Brexit is Brexit.”
The process of a member state quitting the EU is laid out in Article 50 of the Lisbon Treaty. It’s pretty short – just five paragraphs. The article says that the UK has to negotiate with the EU over a span of 2 years (unless both sides agree to extend it) and that the UK cannot be part of EU internal discussions. If these formal proceedings are adhered to, then it will end the primacy of EU law in the UK on Brexit Day.
As it pertains to privacy, the question remains – how will data confidentiality and protection be when the UK is affected by Brexit. Negotiations between the UK and EU will be based on 43 treaties and agreements between the 2 entities but, for the moment, it seems as though Parliament will turn EU law into UK legislation through the European Union (Withdrawal) Bill. This bill will allow the UK to change law at a future date yet have a legislative basis when Brexit does occur.
The good news for UK organizations is that they are currently subject to the GDPR but do not have to spend further resources, time or effort in contemplation of Brexit Day as the UK passed a near identical UK-specific version of the GDPR, the Data Protection Act 2018 (DPA 2018). Like the GDPR, it has an extra-territorial effect so that it applies to non-UK businesses who offer goods or services to UK residents or who monitor UK residents. However, the UK still will need to negotiate transferring personal data outside the EU when Brexit happens through language pertaining to “adequacy” in Article 45. Yet despite the murkiness of Brexit, UK organizations should focus on complying with the GDPR since any separation that may happen in the future will have little effect on current or future compliance.