Following the Brexit vote this morning many things remain uncertain, not least the basis upon which any trade agreement between the UK and the EU will impact on requirements to comply with European legislation.
From a data protection perspective, however, some things are certain:
At this stage we cannot predict with any certainty the approach that the UK Government will take to Brexit and national legislation that to date has been based on European requirements.
If the UK seeks to join the European Free Trade Association, many central requirements of EU law would continue to apply, including GDPR.
If the UK does not go down this route, the UK Government will be free to adopt its own data protection laws. In these circumstances the European Commission would have to determine whether UK laws offer adequate protection for EU citizens.
If not, the processing of EU personal data within the UK will be restricted, with a dual regime likely to apply whereby UK personal data will be subject to UK laws and EU data will be subject to model clause requirements or some form of UK Privacy Shield type arrangement.
It is our view that any UK data protection laws are likely to closely mirror many major aspects of GDPR.
For multi-national organisations, and those offering goods or services to EU citizens, GDPR implementation plans will need to continue. If your organisation is head-quartered in the UK, and expected to be regulated by the Information Commissioner, you will now need to consider which EU supervisory authority will be your lead authority.
For all organisations it will be important to establish data flows between the UK and the EU, as new procedures may have to be adopted in relation to those data arrangements.
Brexit does not spell the end of data protection regulation in the UK, therefore ongoing audits and data mapping reviews should continue to enable compliance with the new regime no matter what form that may take.
We will continue to provide briefings on these issues as soon as further information becomes available. If you would like to discuss the implications of Brexit for your organisation, please contact our Data Protection & Privacy team.