Fri 25 Jan 2019

Impact of Brexit on GDPR and international data flows

Complying with all aspects of GDPR is by no means an easy matter. Employers have invested many hours updating their contracts of employment, drafting privacy notices and data privacy policies, as well as updating their IT policies.

In considering the appropriate lawful ground for processing, where employee data is not being processed so as to perform the employment contract or comply with employment law, assessments will have taken place as to relying instead on "legitimate interests". Employers will have taken care to minimise the special category data and criminal record information they hold and ensured this satisfies the additional restrictions of the Data Protection Act 2018.

A key question is therefore what impact will Brexit have on the many hours of compliance invested by UK employers? Well, the good news (at the risk of taking severe liberties with the word "good") is that no substantive change is anticipated in respect of the data protection rules that UK businesses will have to follow, regardless of what form Brexit takes.

The Information Commissioner's Office (ICO) website is giving prominent focus at the moment to providing advice and guidance to UK employers on the impact that Brexit will have on UK data protection law. It makes clear that since the UK Government plans to absorb GDPR into UK law at the point of exit, organisations should continue to implement GDPR compliance standards and existing ICO guidance.

However, it highlights there is a potential sting in the tail for businesses in the UK which send or receive any personal data from entities in the European Economic Area (EEA), should the UK leave the EU without a withdrawal agreement that specifically provides for the continued free flow of personal data.

In that eventuality, it is anticipated that UK businesses will still be able to transfer personal data from the UK to the EEA. This is because the Government has indicated there will not be any restrictions imposed on such transfers. However, the ICO advises that transfers of personal data from organisations within the EEA to the UK will be affected, unless the EU makes a formal adequacy decision that the UK data protection regime offers an adequate level of data protection.

While that may seem like it ought to be a straightforward matter (where the UK broadly replicates GDPR in domestic law), it is widely expected such a decision will take time and will not be in place at the point of exit. Indeed, the current political declaration accompanying the withdrawal agreement is premised on the work in relation to such an adequacy decision starting when the UK leaves the EU and endeavouring to be completed by the end of 2020.

To illustrate the practical difficulties this could give rise to, the ICO gives the example of a UK company which passes employee information to a centralised group HR service provided by its parent company in Germany. The UK company (in the absence of a UK restriction) should be able to transfer employee data to its Germany parent company. However, it is clear that the German parent company, having regard to its own obligations under GDPR, would not be able to transfer personal data as easily back to the UK entity.


This is because since the UK will sit as a third party country outside the EEA, the German parent company will have to comply with the restrictions within GDPR on such transfers and ensure, if no adequacy decision is in place, that it complies with one of the other appropriate safeguards needed to permit the transfer.

The ICO guidance points to the fact that for many organisations the simplest way of ensuring an appropriate safeguard is likely to be to use (EC approved) model contract clauses between the sender and recipient in order to permit the transfer. However, since time will be needed to put such arrangements in place, it is important for businesses to actively consider their international data flows now (whether in relation to employee personal data or otherwise) and consider what steps they might need to take.

Another area highlighted by the ICO is that at the point of exit, employers will have to review the relevant sections within their privacy notices dealing with international transfers, which may need updated when the UK is no longer within the EEA. At the moment such sections are likely to focus on international transfers beyond the EEA and after exiting (subject to the UK provisions introduced) it will be important to capture and refer to any international transfers taking place, both those to and outside the EEA.

While the uncertainties over Brexit show no sign of disappearing any time soon, it makes sense for employers to review their international transfers of personal data, in light of this advice, so they stand prepared if no withdrawal agreement can be reached.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice