GDPR after Brexit – all you need to know

After years of political seesaw Brexit day finally arrived on January 31, 2020. So far so good – but which effect will the UK’s withdrawal from the EU have on data protection regulation and compliance?

During the transition (or “implementation”) period that is expected to end December 31, 2020 there will be very little change because the UK will continue to be treated just like any other EU member state – so EU law continues to apply in the UK, which includes the General Data Protection Regulation (GDPR) as well.

UK based business or organisation that are currently processing personal data and that the GDPR currently applies for. As well as any business or organisation outside the UK targeting UK users and processing their data.

In fact there are three different laws that apply simultaneously domestically in the UK in 2020:

• the GDPR (which is still valid during transition period)
• the new UK GDPR (which is merely a matter of form and took effect on exit day January 31, 2020)
• the Data Protection Act 2018 (in an amended version which also took effect on January 31, 2020)

Since the EU GDPR will no longer apply directly in the UK after the transition period but UK organizations must still comply with its requirements, the UK government has issued the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime (the so called “UK GDPR”) that will work in a UK context after Brexit. 

There is very little difference between the EU GDPR and the UK GDPR. To be on the safe side organizations that process personal data should make sure to continue to comply with the requirements of the EU GDPR.

Right now it is unclear whether Britain will follow GDPR principles or adopt other rules that could affect the handling of user data. 

If they adopt other rules there is still a big question mark on how strict they will be. Looking at global regulatory trends and that even the US is looking to implement a stricter federal privacy regulation, there is substantial reason to expect British regulation to follow basic GDPR principles.

The UK continues to be a “safe third country” after 2020

To be classified as a “safe third country” the UK has to pass an adequacy assessment by the European Commission which has the power to determine if a country outside the EU offers an adequate level of data protection through its domestic law or its international commitments or not. If adequacy is granted, personal data can flow safely from the EEA to that third country.

The UK stops being a “safe third country” after 2020

If adequacy is not obtained, the default position will be the same as for a no-deal Brexit, according to the International Commissioner’s office ICO. The ICO will continue to post no-deal guidance on their website during the transition period.

Data transfer from the EU to the UK will become similarly complex like we know it from data transfers between the EU and the US. We will then need extensive data-sharing agreements in order to work together. 

There are several reasons why the GDPR is still relevant in the UK even after Brexit: 

• Since there is a transition period within Brexit there are no changes concerning data protection regulation and compliance in 2020.
  -> So as long as your business is already compliant with the EU GDPR you are on the safe side in 2020.
• UK based businesses with European users or customers do fall and will continue to do so under the extraterritorial scope of the GDPR.
  -> Make sure you comply with the requirements just like any other business outside of the EU.
• If the British government will implement a regulation of their own, it is expected to be similar to GDPR in many regards. For one reason, in order to facilitate European and  international data transfers, but also because the UK has a culturally strong background in privacy, much more than the US has.
  -> So whatever happens in 2021 regarding new regulations, it’s safe to assume that these regulations will be just as strict or even stricter than the EU GDPR which applies right now.

But there are also companies betting on a different outcome: Google for example just announced to transfer all British user data from EU servers to servers in the US due to Brexit. A decision that suggests it doesn’t trust the UK to achieve an adequacy agreement with the EU which would guarantee EU citizens’ data to be protected with the same rigor as under GDPR. But Google claims that despite the move British users will still have all the GDPR rights.

Interesting to know: Long before GDPR the UK implemented the ePrivacy Directive making cookie banners legally required for any website. So now – and with 2021 slowly approaching – it’s probably a good time to take a closer look at the following recommendations of the ICO regarding Cookie Consent and Cookie Banners:

• Businesses should implement the same GDPR compliant consent mechanism for UK users until a new regulation is set in place.
• Businesses need to ensure that any consent mechanism they put in place allows users to have control over all the cookies the website sets, not just their own.
• Consent cannot be bundled into terms and conditions or privacy notices. Businesses should be upfront with their users about their use of cookies. They should obtain consent by giving the user specific separate information about the way the cookies (or similar technologies) work and what they use them for. This explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing cookies. They need to understand what they are being asked to agree to.
• Consent requires a positive opt-in. Pre-ticked boxes or any other method of default consent is not compliant to the GDPR.
• Withdrawing consent must be just as easy as giving consent.  
• Businesses need to name any third party controllers who will rely on the consent.
• Businesses must keep evidence of consent – who, when, how, and what users agreed or did not agree to. Preference management tools, like Consent Management Platforms, offer a convenient solution to this very technical challenge of documentation.

For the full requirements, please visit the ICO’s guide for organisations: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ 

Be aware: British authority ICO is one of the most active authorities in Europe when it comes to requiring consent and enforcing effective cookie banners. They will not stop to enforce UK GDPR until there is another regulation.

The good news: There are very little changes in terms of data protection requirements – at least in 2020. But unfortunately there is no time to relax during the transition period because if Brexit has taught us one thing so far it’s probably that you can never be sure things will turn out the way they were planned and scheduled. So make sure you prepare for 2021 by getting your website GDPR compliant.

Play it safe! A smart Consent Management Platform (CMP) can help you to obtain and manage the consents of your website users legally compliant, boost your users trust, protect your advertising revenue and protect your company from hefty fines.

Check out our Usercentrics CMP and request a demo now!