GDPR is a key component of the Government’s data protection paper released yesterday, relating to how a partnership between the UK and the EU could be structured in relation to the ‘exchange and protection’ of personal data post Brexit.

Regardless of Brexit, the UK intends to continue to play a leading global role in promoting data protection standards, and plans to work side by side with the EU and other global partners to protect:

• individuals’ rights to privacy and control over their own data
• the ability of individuals, companies and other organisations to share data to create services valued by consumers
• the ability of law enforcement bodies to protect citizens from crime and terrorism

The government paper restates that the UK’s new Data Protection Bill (definitely needed – current legislation is now some 20 years old) will include not only the EU’s General Data Protection Regulation (GDPR), but also the Data Protection Directive (DPD) which relates to personal data being processed for law enforcement purposes.

This means that, when we leave the EU, both its and our own UK data protection law will be aligned.   This is important because it provides the UK with a sound base from which to achieve “adequacy status” to avoid the detrimental economic impact of any disruption in cross-border data flows.

What is Adequacy Status?

It is likely that the UK will require adequacy status in order for data to flow freely between UK and EEA

Each EEA country is allowed to transfer personal data freely, because all states have to comply with GDPR.

For countries that are not members of the EEA (and it is likely that the UK will fall into this category post-Brexit), the EU Commission may decide that a country’s data protection framework is “adequate”.  In these cases, data may also flow freely between EEA members and “adequate” third party countries – for example, Switzerland, Isle of Man, New Zealand.

Adequacy is probably the simplest method of achieving the free flow of data between the EU and UK post Brexit.  Other methods are available, but they are significantly more onerous in time, paperwork and cost for organisations.

How to achieve Adequacy Status

Any third country (eg UK) can request that the Commission considers them for an adequacy decision.  The Commission may then, if it wishes, assess the nature of that country’s data protection rules, enforcement, supervision and practices to satisfy themselves that they are sufficient to provide an adequate level of protection – ie “essentially equivalent” to those applied in the EU.

In order to achieve adequacy post Brexit, the UK will need to be compliant, not only with EU data protection law, but also with wider global data protection standards.  As the UK’s data protection law fully implements the EU’s GDPR and DPD, the government hopes “to agree, early in the process, to mutually recognise each other’s data protection frameworks as a basis for the continue free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit”.

• GDPR will, in any case, continue to apply to any UK businesses offering goods or services to individuals within the EEA.
• The UK intends to remain a safe destination for personal data with some of the strongest data protection standards in the world
• The ICO may continue to play an active role in promoting understanding of the regulatory challenges faced both by organisations and individuals; being involved in future EU regulatory discussion;  and sharing its expertise with other EU Data Protection Authorities.

It’s worth noting that the Government paper makes it quite plain that both sides will benefit from such an arrangement.  The paper suggests that (based on various reports) around 43% of all large EU digital companies are started in the UK, and that 75% of the UK’s cross-border data flows are with EU countries.  The implication is that any disruption in cross-border data flows could harm the economies of both parties.

Clearly building a new relationship is a key element of the Brexit negotiations.  And adequacy is a vital part of that relationship.

Victoria Tuffill    25th August, 2017

Data Compliant advises on GDPR compliance. If you’d like more informaiton, please call 01787 277742 or email dc@datacompliant.co.uk