Knowledge

How Brexit Affected GDPR Compliance

How Brexit Affected GDPR Compliance for Companies Based in the UK?

The General Data Protection Regulation (GDPR) was introduced in 2018 as a new EU data protection law. The GDPR replaces the 1995 EU Data Protection Directive. It strengthens EU data protection rules by giving individuals more control over their personal data and establishing new rights for individuals. Companies that process the personal data of EU citizens must comply with the GDPR unless they can demonstrate that they meet certain conditions.

The GDPR applies to companies that process the personal data of EU citizens, regardless of whether the company is based inside or outside the EU. This means that UK-based companies must comply with the EU GDPR law if they process the personal data of EU citizens. After Brexit, the GDPR will continue to apply to UK-based companies that process the personal data of EU citizens.

6 Conditions for Companies to Process Personal Data Without GDPR Compliance

The UK’s data protection watchdog, the Information Commissioner’s Office (ICO), has clarified the conditions under which UK businesses can process the personal data of EU citizens without GDPR compliance. These are companies that can demonstrate that they meet one of six conditions set out by the ICO. If you are a UK business that processes the personal data of EU citizens, it is important to understand these conditions and whether or not your business meets them.

The six conditions are as follows:

  1. The data must be processed for the purposes of legitimate interests pursued by the company.
  2. The data must be processed for the performance of a contract with the individual.
  3. The data must be processed for compliance with a legal obligation to which the company is subject.
  4. The data must be processed to protect the vital interests of the individual.
  5. The data must be processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the company.
  6. The data must be processed for reasons of substantial public interest on the basis of UK or EU law.

How has Brexit affected GDPR compliance for UK-based companies?

There are a few ways that Brexit affected GDPR compliance for UK-based companies. First, after Brexit, UK-based companies will no longer be subject to EU law. This could make it more difficult for UK-based companies to comply since they will no longer be able to rely on EU law for guidance on how to comply with the GDPR. Second, after Brexit, UK-based companies will no longer have direct access to the European Court of Justice (ECJ). The ECJ is responsible for interpreting EU law, and its decisions are binding on all EU member states. This could make it more difficult for UK-based companies to get clarity on how to comply with the GDPR. Finally, after Brexit, UK-based companies may no longer be able to participate in certain EU data protection initiatives, such as the EU-US Privacy Shield Framework.

What is EU-US Privacy Shield Framework?

The framework was created in response to the EU’s General Data Protection Regulation (GDPR), which came into effect in May of 2018. The Privacy Shield Framework allows companies to transfer data between the EU and the United States, while still complying with GDPR regulations.

The Privacy Shield Framework is made up of seven principles:

  • Notice: Companies must provide clear and concise notice to individuals about their data collection practices.
  • Choice: Individuals must be given the choice to opt out of having their data collected or used for certain purposes.
  • Accountability for Onward Transfer: Companies must take responsibility for ensuring that the data they transfer to third parties is protected in accordance with the Privacy Shield Principles.
  • Security: Companies must take steps to protect the security of individuals’ data.
  • Data Integrity and Purpose Limitation: Companies must only collect and use data that is relevant and necessary for the purpose it was collected for. Data should also be accurate, complete, and up-to-date.
  • Access: Individuals must be able to access the data that companies have collected about them, and companies must provide individuals with the means to correct any inaccurate data.
  • Recourse, Enforcement, and Liability: There must be mechanisms in place to hold companies accountable for their compliance with the Privacy Shield Principles. These mechanisms should include independent dispute resolution, consequences for non-compliance, and sanctions for false claims of compliance.

 

The Privacy Shield Framework is a voluntary program, but it is overseen by the U.S. Department of Commerce and the European Commission. Companies that participate in the Privacy Shield Framework are required to self-certify their compliance with its principles on an annual basis. The Privacy Shield Framework is currently being challenged in court by a group of privacy advocates, but it is still in effect.

Do UK companies still need to comply with data protection (GDPR) regulations?

Despite these potential challenges, UK-based companies can still take steps to ensure that they are compliant with the GDPR after Brexit. First, UK-based companies should continue to review their data processing activities to ensure that they are only collecting and using personal data that is necessary for their business purposes. Second, UK-based companies should put in place robust data security measures to protect the personal data that they process. And third, UK-based companies should keep up to date on developments in EU data protection law, so that they can adapt their compliance strategies as needed.

Following these steps will help UK-based companies to remain compliant with the GDPR after Brexit. However, it is important to note that the ultimate impact of Brexit on GDPR compliance for UK-based companies remains uncertain at this time. This is due to the fact that the terms of Brexit have not yet been finalised, and it is unclear what type of relationship the UK will have with the EU after Brexit. As a result, UK-based companies should continue to monitor the situation and make changes to their compliance strategies as needed.

If you have any questions about how Brexit affects GDPR compliance for your company feel free to contact us, we are happy to answer any questions. 

 

× How can I help you?