GDPR after Brexit: What your small business needs to know

GDPR after Brexit: What your small business needs to know

Natalie Wood

Natalie Wood
20th February 2020

The UK officially left the European Union (EU) on the 31st January 2020. After years of deliberation, this substantial turning point may have left many small business owners thinking what next?

One topic of concern is the GDPR (General Data Protection Regulation). The GDPR was introduced back in May 2018 with the aim to strengthen and unify data protection for residents of the EU. Businesses spent months preparing and understanding the principles. Now that the UK is no longer in the EU, there is some confusion over whether businesses need to do anything differently to ensure compliance with data protection legislation.

What happens now?

We’re now in a transition period until 31st December 2020. During this period, the GDPR alongside the Data Protection Act 2018 will continue to apply as normal. So there’s no need for you to take any immediate actions. The current rules on trade, travel and business are also the same during the transition period.

The UK and the EU will now negotiate their future relationship following the transition period and make any additional arrangements.

Presuming there’s no extension, any new rules and arrangements will come into effect on 1 January 2021. June 2020 is the final month that any extensions can be requested for this transition period.

There are a few general actions you can take now to prepare for next year. The Government website has a handy questionnaire you can complete to check what actions are relevant for your business.  

GDPR after the transition period

The negotiations that are currently taking place will determine what happens on 1 January 2021.

As the UK is no longer in the EU we are considered to be a third country for the purposes of data protection which has implications for data flows. This is not an issue during the transition period as the Brexit deal has made provision for the flow of personal data between the UK and the EU.

Once the transition period ends on 31 December 2020 the default position is the same as a no-deal Brexit. The GDPR will be incorporated in the UK law, but organisations may need to take additional measures to ensure compliance. For example, if you transfer personal data to the EU you may need to implement standard contractual clauses.

The EU has an established process for third countries called an adequacy agreement. Third countries can be granted an adequacy agreement if their standards of data protection are considered to be comparable to that of the EU. As the UK’s data protection regime is currently closely aligned with the EU it is likely to be considered adequate – but this is not guaranteed and could take several years.

If the EU grants an adequacy decision before 1 January 2021 this would mean that personal data could continue to flow between the UK and the EU as it does currently.

The GDPR will continue to apply in the EU after 1 January 2021 which may have implications for businesses based in the UK. For example, if you offer goods or services to people in Europe or monitor their behaviour, you may need to appoint a representative in the EEA (European Economic Area) after the transition period, however there is no need to do so now.

So, will GDPR apply after Brexit?

The principles in GDPR are here to stay. During the transition period continue to comply with the GDPR exactly as you have been.

After the transition period, the GDPR principles will still be relevant. If you operate solely in the UK, you will need to comply with the Data Protection Act 2018, which implemented the GDPR in the UK.

The GDPR is an EU Regulation, it will continue to apply after the end of the transition period – which may have some implications for UK based businesses that operate in the EU or rely on personal data flowing between the UK and the EU.

As usual with Brexit, there is a lot of uncertainty. Much will depend on the negotiations between the UK and the EU over the coming months.

Longer term, as the UK looks to establish trading relationships with other countries outside the EU, this may also have implications for UK businesses. It’s possible that over time, we may see the UK’s data protection regime align more closely with other countries outside of the EU.

For now, keep running your business as normal and continue to comply with the GDPR alongside the Data Protection Act 2018. For guidance post the transition period, it’s a matter of watching this space as negotiations progress and we find out whether the UK is granted an adequacy agreement from the EU.

You can find out more about GDPR legislation in our online guide. The ICO has also published some helpful FAQs regarding GDPR and Brexit.

The information in this article is for general guidance about data protection rules and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at February 2020. However, Nominet UK will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information contained in this guidance.