Data protection post-Brexit: what does it mean for your business?

How is data currently protected in the UK?

In 2018 the European Union (EU) implemented the General Data Protection Regulation (GDPR). This was introduced to protect people’s data and prevent misuse of that information.

As employers and business owners, you will hold an array of personal data. For example, your employees’ pay records, staff appraisals, time records, employment contracts and medical records. GDPR was incorporated into domestic law by the Data Protection Act 2018.

Despite the UK’s exit from the EU last year, data protection laws in the EU and UK remain largely aligned for now. As the EU and UK develop their data protection laws separately, the gap between the two could, however, grow in future.

The UK is unlikely to reduce the level of data protection currently provided but may relax some restrictions to make it easier for small to medium-sized businesses to deal with personal data.

The EU and UK have, in the UK’s exit agreement, agreed to maintain high standards of data protection going forward, which is not surprising. For the time being, interim measures are in place.

The ‘bridging mechanism’

These interim measures, known as the bridging mechanism, will last up to six months, ending at the latest on 30 June 2021. The measures were introduced to allow the free flow of data between the EU and the UK to continue without any immediate alterations or the UK being considered a ‘third country’.

Following from this interim period, an adequacy decision is waiting to be finalised. This is important to ensure that the personal data relating to those living in the EU can still be processed freely in the UK. Without an adequacy decision, additional safeguards and measures would apply, which could create difficulties for UK businesses.

Will the adequacy decision be agreed?

The UK’s data protection is currently closely aligned with the EU, so it would seem unlikely that an adequacy decision would not be granted. The EU and the UK already exchange data freely with countries including New Zealand and Japan who have their own adequacy decisions in place.

However, commentators in the area have raised concerns that an adequacy decision may not be granted for a number of reasons.

One of these is the Five Eyes alliance. This involves an intelligence sharing agreement between the UK, US, Australia, New Zealand and Canada. Not all of these countries’ data protection laws are deemed to be adequate by the EU so this may hinder the UK’s chances. However, New Zealand are considered adequate by the EU, so it may not be fatal.

Others have raised concerns over the onwards transfer of data to the US and the level of protection afforded in such cases. The US is a noticeable omission from those countries recognised by the EU as having adequate systems in place.

A draft adequacy decision for the UK was released on 19 February 2021 by the European Commission. This now needs to be approved by EU member states and other official bodies.

How will it affect data protection laws?

If granted, the adequacy decision will last four years, unless the UK drastically changes or reduces the protection provided, which would give businesses some certainty about the rules until at least 2025. UK data protection levels will then be reviewed after the four years are up and the adequacy decision could then be renewed.

If an adequacy decision is not granted, additional rules and safeguards will be put in place. This would slow down, and create more difficulties and barriers for businesses when transferring personal data between the UK and the EU. This would pose particular difficulties for companies processing personal data for those inside the EU, increasing admin and legal costs or challenges.

Making data protection laws more business friendly

There will be no drastic changes to the legislation overnight, but going forward we may see more alterations that affect the way businesses handle and transfer their data in the UK.

It has been reported the UK aims to not only protect data but boost business opportunities and growth, in the EU and further afield.

Commentators in the area have hopes that developments will improve public services and technology businesses, allowing greater collaboration and innovation through an increased ability to share information. An example given by Digital Secretary Oliver Dowden was the ability for hospital trusts to share lung scans to improve coronavirus treatment methods.

Some have suggested changes could benefit small to medium-sized businesses, however it is unclear how this will look. Restrictions or obligations may be relaxed, for example, removing the need to keep detailed records of how data is being processed.

If, as suggested, data protection laws are amended in a way which reduces the burden on small and medium businesses, this raises questions as to whether the EU would still consider the UK to provide ‘adequate’ protection. The UK would have to tread carefully to ensure that reducing the burden on businesses does not contradict the agreement to maintain high data protection standards.

How can you prepare?

It is important that businesses continue to monitor the position with regards to the UK’s adequacy rating and put in place contingency plans in the event that adequacy is not granted by the EU prior to the end of June.

Please contact a member of our team for more advice on how you can do this.

This content is correct at time of publication