PH Privacy

Brexit Update – What Does This Mean for Data Privacy?

January 31, 2020

Sarah Pearce and Ashley Webber

The long awaited day has finally arrived – Brexit!
Since our last update[1], the UK government held a general election that paved the way for the Brexit Withdrawal Agreement to finally be signed meaning the UK officially leaves the EU today, 31 January 2020.
So we ask the question again: what does this mean for data privacy?  In a statement on 29 January, the Information Commissioner’s Office said the following:

“The UK will leave the European Union on 31 January and enter a Brexit transition period. During this period, which runs until the end of December 2020, it will be business as usual for data protection. The GDPR will continue to apply.”

For a significant period of time, it has been unclear whether the transition period would occur.  Commentary on the effects Brexit would have on data privacy therefore focused on the situation where there would be no transition period, i.e. the GDPR would cease to apply in the UK on Brexit day.  However, this is not the situation we find ourselves in today and instead, the GDPR will continue to apply until the end of the transition period.  This will likely come as a great relief to many businesses that did not take any action to its data privacy practices despite the discussions and suggestions from the ICO and many others.

As can be seen from our previous observations on the topic[2], suggestions for businesses if the GDPR were to cease to exist today included reviewing data flows and ensuring appropriate data transfer mechanisms were in place along with considering whether an EU representative should be appointed.  All such suggestions will very likely still be valid come the end of the transition period.
Therefore, the message at this stage with regards Brexit and data privacy is twofold:

1. If you are an organisation that did take steps in line with the GDPR ceasing to apply today, you are in a good place.The advice to you is to continue to monitor the situation, consider it in light of the steps you took towards post-Brexit compliance and revisit the steps and your plan of action throughout the transition period.This will ensure a smooth transition to a post-transition period data privacy world.

2. If you are an organisation that did not take steps in line with the GDPR ceasing to apply today, you now have the remainder of 2020 to prepare for a post-transition period data privacy world.For such organisations, as discussed previously, we suggest carrying out an internal data privacy audit focusing on areas such as data transfers. With just less than a year, this should be ample time to identify and take action in those areas of the business which will not be compliant post-transition period.

[1] https://www.paulhastings.com/publications-items/blog/ph-privacy/ph-privacy/2019/11/13/brexit-what-does-this-mean-for-data-privacy#

[2] https://www.paulhastings.com/publications-items/blog/ph-privacy/ph-privacy/2019/11/13/brexit-what-does-this-mean-for-data-privacy#