Brexit will not stop the General Data Protection Regulation
("GDPR") becoming the new reality for the UK in 2018. As
confirmed by the Information Commissioner's Office last week,
to trade with the European Union (trade inevitably involving
cross-border personal data use, sharing, transfers and so on), we
will want to be considered a country with 'adequate' levels
of data protection. How do we attain this? By having equivalent
data protection laws. In which case, we will still need to comply
with GDPR standards.
Even if the UK does not aim for the lofty heights of equivalent
data protection laws, many organisations in the UK will still need
to comply with GDPR standards and here's why:
If personal data is transferred to a non-European Economic Area
(EEA) country, other than for ad hoc data transfers which fall
within the 'permitted transfers' list, a mechanism such as
Binding Corporate Rules or Model Contracts will need to be
For example, a company has shared HR services/systems. Servers are
in the Netherlands but accessible from the UK. This will involve a
personal data transfer to the UK. Model Contracts would need to be
put in place (assuming they are still around by 2018 given Max
Schrems is now also challenging Model Contracts before the Irish
data protection regulator). Intra-group Model Contracts will
involve commitments by the UK recipient to data protection
compliance principles equivalent to those in Europe. From May 2018
that means complying with GDPR standards.
You will still be caught by the GDPR if you are not a member of
the EU, even if you're not receiving personal data from an EU
country but you are targeting goods/services at a EU market or
profiling personal data of data subjects in the EU. For example, a
UK online retailer which sells to continental European consumers
will still need to apply GDPR standards to use of personal data of
European-based data subjects.
If you use service providers in any EU country, GDPR standards
could also still apply. For example, if you use an IT service
provider in Germany, you might not have an 'establishment'
in the European Union, but could still be processing on equipment
there by virtue of your German provider. By processing on equipment
based in Germany, you could then still be caught by the GDPR (given
this will apply in Germany from May 2018).
The chances are that many UK organisations will need to be
GDPR-compliant regardless. Do not let post-Brexit uncertainty eat
away at your GDPR compliance schedule.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The prospect of an internal investigation raises many thorny issues. This presentation will canvass some of the potential triggering events, and discuss how to structure an investigation, retain forensic assistance and manage the inevitable ethical issues that will arise.
From the boardroom to the shop floor, effective organizations recognize the value of having a diverse workplace. This presentation will explore effective strategies to promote diversity, defeat bias and encourage a broader community outlook.
Staying local but going global presents its challenges. Gowling WLG lawyers offer an international roundtable on doing business in the U.K., France, Germany, China and Russia. This three-hour session will videoconference in lawyers from around the world to discuss business and intellectual property hurdles.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).