Law Lessons: Exploring The Effects Of GDPR Pre and Post Brexit

Roland Moore-Colyer,
GDPR EU

Dr. Philip Trillmich, partner in the Global Intellectual Property Practice, and Tim Hickman, associate at law firm White & Case discuss GDPR and Brexit.

What happens after Brexit takes effect?

EU Brexit referedumThe direct consequences of Brexit for UK businesses depend largely on how the UK’s relationship with the EU and the European Economic Area (EEA) will look post-Brexit:

If the UK joins the EEA, then the GDPR will continue to apply in the UK. There will be some minor practical changes (e.g., businesses will not be able to select the UK as their place of “main establishment” for data protection purposes, and the UK Information Commissioner’s Office (the “ICO”) will have diminished influence in the EU). However, on the whole, the same data protection compliance requirements will continue to apply in the UK post-Brexit under this scenario.

If the UK does not join the EEA, then the GDPR will no longer apply in the UK. It will no longer be lawful to transfer personal data from the remaining EU Member States to the UK without additional legal protections (e.g., consent, or contractual safeguards). The UK will almost certainly seek an “adequacy decision” from the European Commission (removing the need for these additional protections). In order to obtain such a decision, the UK will need a national data protection law that provides essentially the same level of protection as is provided by the GDPR.

However, even if the UK does obtain an adequacy decision, it will not necessarily have that decision in place on the effective date of Brexit, meaning that businesses may have to implement additional data transfer safeguards as an interim measure.

The ICO has stated that it will work with the government and provide advice on the continuing application of the GDPR, or any replacement regime, after Brexit.

For UK businesses, the key conclusion is that GDPR compliance needs to be achieved by 25 May 2018. Post-Brexit, the UK will either be subject to the GDPR, or is likely to have a law that is functionally very similar to the GDPR. Consequently, efforts made to achieve GDPR compliance are likely to be sensible investments that will stand businesses in good stead over the long term.

Written by Dr. Philip Trillmich, partner in the Global Intellectual Property Practice, and Tim Hickman, associate at law firm White & Case

Are you a security pro? Try our quiz!