Data protection and ‘no deal’ Brexit

The possibility of the United Kingdom (UK) leaving the European Union (EU) without a deal, even at the end of any extended period agreed with the EU, is a real risk for businesses to consider and plan for. This note explains key issues and steps to be taken to plan in relation to personal data protection in the event of a ‘no deal’ Brexit.

What happens on ‘no deal’?

Under such a ‘no deal’ scenario, the EU’s General Data Protection Regulation (GDPR), will form part of UK domestic law by virtue of the EU (Withdrawal) Act 2018 (EUWA) with some amendments made to it, alongside the UK’s Data Protection Act 2018 (DPA) and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Exit Regulations), which will come into force on exit day, replace references to EU laws and institutions with references to UK equivalents, so that the UK’s legal framework for data protection can function correctly after exit day. The Exit Regulations also provide that the UK GDPR will have extra territorial effect in the same way as the EU GDPR. This means that the UK GDPR will apply to controllers and processors outside the UK whose processing activities relate to offering goods or services to individuals in the UK or to the monitoring of the behaviour of individuals in the UK.

Read the full article from Penningtons here –