Operating across the globe, expanding into a new territory or growing in existing countries might require your business to react to a changing legal and economic landscape. In this article we're focusing on the changes many businesses will have to navigate as a result of Brexit and specifically, two business as usual issues – impacts on customer and supplier contracts, and data protection.
Customer and Supplier Contracts
One of the first steps to think about as Brexit takes effect is "how will my business be affected?". Regardless of whether your supply chain or customers are confined within the UK or extend to, or outside of the EU, each of your contracts will most likely contain clauses which rely upon EU influenced legislation in areas such as tax, staffing or data. You may also have clauses which apply to specific territories, with the "EU" used to define the extent of an obligation or restriction. These clauses need to be identified and analysed to determine the risk posed to such contracts by the UK leaving the EU.
Data protection law will change and is something an organisation will need to revisit following Brexit. The good news is, due to the UK's Data Protection Act 2018, a UK-specific version of the GDPR has already been put in place in the UK and therefore the preparations organisations have made to comply with GDPR will not go to waste.
During the Transition Period (31 January to 31 December 2020), there is no change, the GDPR will continue to apply in the UK. During the Transition Period the UK is due to apply for an Adequacy Decision, meaning, if approved, the EU will recognise the UK's laws as providing equivalent protection to personal data. Having an Adequacy Decision means transfers of personal data from the EU to the UK after the Transition Period will not need any additional compliance measures.
Given the UK's Data Protection Act 2018 is extremely similar to the provisions of the GDPR, we would expect that the UK would easily obtain an adequacy decision from the EU after applying. This would mean the UK would then be treated the same as countries like Canada, Switzerland and New Zealand. In the absence of an Adequacy Decision, following the Transition Period, the UK will become a non-EEA (non-European Economic Area) jurisdiction and will re-classify as a "third country" under the GDPR. As a result, the transfer of personal data from organisations from the EU to the UK will be subject to strict data transfer rules, as set out by the GDPR (Articles 44 to 50). Organisations will then need to put compliance mechanisms in place, such as International Data Transfer Agreements using the EU's Standard Contractual Clauses.
What should organisations be doing to get a head start?
Revising your GDPR-affected policies and mapping your data flows would be a good first step. By understanding where your data comes from and where it goes, your organisation can prepare for any changes occurring during or following the Transition. Data protection policies will need to be updated to reflect the correct terminology post-Brexit.
The UK's decision to leave the EU has left businesses operating in the UK and Europe wondering what's next. Completing a check list and reviewing key areas of business will help you to identify where changes need to be made and what action is required.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.