Do I have to take into account the GDPR after Brexit?

Do you have to take into account the GDPR after Brexit? Yes, but there will be a difference between a deal scenario and a no-deal scenario. The difference between the two scenarios will be explained below.

Update: the UK left the EU on 31 January 2020. There is now a transitional period until the end of December 2020, but this transitional period is extendable. During the transitional period, nothing will change in terms of data protection and the GDPR will continue to apply. It is so far unclear what will happen after the transitional period.

1.1. Deal scenario - signature of the withdrawal agreement

In case of a deal scenario, the Withdrawal Agreement between the European Economic Area (EEA, meaning the EU Member States plus Liechtenstein, Iceland and Norway) and the UK sets out the conditions of Brexit. It ensures that the withdrawal will be carried out in an orderly manner.

The Withdrawal Agreement will provide for a transitional period during which the UK, which will have become a third country, will continue to respect all EU legislation without being able to participate in the institutions or being involved in decision-making processes. In return, during this transition period the UK will be able to have access to the internal market and the customs union. The transition period was designed to help citizens, companies and administrations to adapt to Brexit.

If the Withdrawal Agreement with a transitional period is adopted, it is likely that the rules applicable to data protection in the UK will remain unchanged until the effective withdrawal date and throughout the transitional period.

1.2. No-deal scenario - hard Brexit

In case of a hard Brexit, the UK will leave the EU without an agreement between the EU and the UK, meaning that there will be no transition period during which the UK will have to respect EU legislation. In case of a no-deal scenario, the UK becomes a third party and, consequently, EU legislation will no longer apply in the UK.

1.2.1. What is your perspective?

The no-deal scenario can be approached from two perspectives, namely from the perspective of an EEA-based company and that of a UK-based company.

1. EEA-based companies will have to ensure adequate level of protection for any data transfer to the UK if they transfer personal data to companies in the UK, such as their customers, suppliers or service providers. More information about this scenario
2. UK-based companies will have to comply with UK data protection legislation, but possibly also with the GDPR if they have branches or offices in the EEA or if they offer goods and services to, or monitor the behaviour of, individuals in the EEA. If UK-based companies transfer personal data from the UK to the EEA, the UK Government has announced that the situation will remain unchanged. The free flow of data to the EEA will be allowed without the need for additional safeguards. Therefore, if you receive data from a UK controller or processor, there is no change for these processing operations. These will, however, have to comply with the GDPR or any other specific applicable legal framework once the data have been received. More information about this scenario

1.2.2. Checklist

It is important to have a look at the following topics to ensure compliance with the GDPR:

• Identify processing activities that constitute a transfer of personal data to the UK. 
• Determine the most appropriate transfer tool to implement for these processing activities. 
• Implement the chosen transfer tool so that it is applicable and effective as of the withdrawal date. 
• Update your internal policies and documents to include transfers to the UK as of the withdrawal date. If necessary, update the information to data subjects to indicate the existence of a transfer of data outside the EU and EEA in the case of the UK. 
• Determine the competent supervisory authority. 

Read also: https://www.consilium.europa.eu/en/policies/eu-uk-after-referendum/