GDPR: Personal Data Transfers to and from the EEA/EU Post-Brexit
It is August 2019 and it finally looks like the UK will leave the European Union within a few months and until the UK has formally left the EU (Brexit), UK organisations who are data controllers and/or data processors remain subject to the EU General Data Protection Regulations (the GDPR).
But what happens once the UK has left the EU? There are several consequences of Brexit in relation to personal data transfers that organisations need to be aware of and consider if action is needed to mitigate the effects likely to occur post-Brexit.
The current free movement of information and the specific transfer of personal data between the UK and other EU member states and vice versa, is only possible because of the GDPR. Where the transfer of personal data will be to a ‘third country’ outside of the EU the GDPR lays out specific and legally enforceable requirements and permits the transfer of personal to a third country freely where that third country is subject to a decision of ‘adequacy’. Adequacy means that the third country has been assessed and recognised as having legal frameworks that provide protections equivalent to those within the EU.
‘The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection’.
Any personal data transfers outside of these countries (including onward transfers) can only be conducted where the data controller or processor has taken ‘measures to compensate for the lack of data protection in a third country by way of appropriate safeguards. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority’, and where ‘administrative arrangement are not legally binding’ authorisation from the data protection regulator must be sought for such personal data transfers.
Although the European Union (Withdrawal) Act 2018 makes provision for the incorporation of direct EU legislation into UK law including the GDPR, the GDPR must be read in conjunction with the Data Protection Act 2018, and on the day of Brexit the UK will become a third country and will not be on the adequacy list until the EU has completed the process which may take several months.
This will mean that data controllers and processors will have to put in place ‘appropriate safeguards’ as described above. In addition UK data controllers or processors post-Brexit will be outside of the EU and where they are processing the personal data of data subjects who are in the Union (EU), they will have to ‘designate in writing a representative in the Union’ where processing is not ‘occasional, [and includes] on a large scale, [the] processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is [likely] to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or a public authority or body’.
What does this mean to UK organisations? All organisations need to understand their data flows and completing a proper data analysis and record of data processing activities covering what data comes from where, flows to where, through what, for what purpose, etc., and this will help an organisation identify if personal data is transferred to third countries including into member states within the EU and the lawful basis under which it is transferred.
As an example post-Brexit, an organisation (controller or processor) is in the UK and an individual data subject in the EU sends their personal data for the purpose of completing a purchase to be shipped to them in their EU home country; this is not considered a ‘data transfer’ and this type of personal data movement can continue. However, if an organisation in the EU sends to the UK organisation, a list of data subjects to whom goods should be sent, then this will be classed as a data transfer and additional measures must be used.
All UK organisations have a legal duty to know where personal data is going and what lawful basis exists and the UK data protection Regulator the ICO (Information Commissioner’s Office) has put together a useful 6 step guide.
All the above is not one-way e.g., UK organisations to EU; it also affects EU organisations’ personal data transfers to the UK and organisations can expect a significant amount of work will need to be completed to ensure compliance with data protection laws both in the EU and the UK.
For more information and to speak with the author, use our Contact Us page.
Notes and References
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
 n1. art. 44, 45, 46
 n1. art. 45. 1
 European Commission Adequacy Decisions, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en, accessed 22 August 2019
 n1. rec. 108
 European Union (Withdrawal) Act 2018 c. 16 sec. 3
 Data Protection Act 2018 c. 12
 ICO Blog: How will personal data continue to flow after Brexit? Myth #4, https://ico.org.uk/about-the-ico/news-and-events/blog-how-will-personal-data-continue-to-flow-after-brexit/, accessed 22 August 2019
 n1. art. 46
 n1. art. 27
 n1. art. 27. 2.(a) (b)
 n8. Myth #2