By Svea Miesch, Research and Policy Manager in association with Pinsent Masons
When we surveyed ScotlandIS members about their concerns in relation to Brexit in July, the future of data protection rules was one of the most mentioned topics. The ability to host data for EU customers is particularly important for our members with data centres in the UK. However, the wider digital technologies industry also needs to be able to receive personal data transfers from EU-based customers which requires compliance with EU data protection rules. We therefore spoke to one of our member companies, law firm Pinsent Masons to find out which changes we can expect in relation to data protection when the UK leaves the European Union.
GDPR comes into force before Brexit
You might be aware that the EU data protection rules have been revised over the last few years and that the new General Data Protection Regulation (GDPR) will apply from 25 May 2018. At this point, the UK will most likely still be a member of the EU because this date is in the middle of the two year negotiation period which starts after the triggering of article 50 which has been announced for March 2017. Therefore, all British companies and organisations will have to comply with the GDPR and risk hefty fines if they do not.
GDPR standards likely to remain after Brexit
Kathryn Wynn, a specialist in data protection and information security at Pinsent Masons, advised us that companies should expect to continue to meet the data protection standards of the GDPR also after the UK leaves the EU, in most of the Brexit scenarios being discussed:
- “Norway model”: If Scotland should be able to remain part of the European Economic Area (EEA), as proposed in the Scottish Government’s Brexit proposal, the GDPR will continue to be in force as EEA members are required to comply with much of EU law, including the GDPR.
- Single market membership: If Scotland would not be able to remain in the EEA but manages to negotiate continued membership of the EU Single Market, Scotland “will need to adopt data protection standards that are essentially equivalent to those in the GDPR in order to justify an adequacy decision”, said Kathryn Wynn. Such an adequacy decision would have to be applied for at the European Commission and would not necessarily be taken immediately after Brexit comes into effect. Transition agreements will therefore be required or companies risk a disruption to their business.
- “Hard(er) Brexit”: Kathryn Wynn also advised that “in any event, UK-based organisations will be directly subject to the GDPR, if they offer goods or services to EU residents or monitor their behavior.” With GDPR coming into force, all data processors, also those in non-EU countries have to apply GDPR if the individual whose personal data is being handled lives in the EU.
We would therefore recommend to our member companies to familiarise themselves with the GDPR and start preparing the implementation of the new rules.
I would like to thank our member company Pinsent Masons, especially Kathryn Wynn, for their expert advice on this topic.
This briefing is an overview of specific issues in relation to Brexit only and does not constitute legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.
If you have any comments or suggestions for other topics, please get in touch with me at svea.miesch@scotlandis.com . For more specific questions on this topic, please contact Kathryn Wynn, Senior Associate at Pinsent Masons LLP, at kathryn.wynn@pinsentmasons.com.