GDPR and Brexit: data protection after we leave the EU
We look at what might change with regards to data protection after we leave the EU and what small businesses need to consider in relation to GDPR and Brexit.
Will data protection requirements change after Brexit?
It doesn’t matter whether you want to remain in or leave the EU – you may have to deal with Brexit very soon. There are plenty of government posters around telling us to get ready but what does that mean for data protection in small business?
There are some potential changes depending on whether the UK remains within the European Economic Area (EEA) but most things related to GDPR won’t change for many businesses – especially if you’re based in the UK and only do business within the UK.
The UK Government is committed to keeping the same requirements as those under the General Data Protection Regulation whether we leave the EU with or without a deal. There will be no immediate change in what the UK regulator (the ICO) expects of you post-
Brexit. If you’re not sure whether you need to get better systems in place, check out our free GDPR assessment on Astrid’s App to see what you might need to do.
Receiving information from companies in the EEA after Brexit
If you deal with companies or organisations within the EEA, they may need to put new arrangements in place so they comply with GDPR. This is because data transferred to the UK was fine (when we were in the EEA) – but once we’re outside the EEA it’s different. Your European contacts may need you to sign special contractual clauses to make sure they continue to comply with GDPR. This shouldn’t cause you any major problems, they still require you to work with the same diligence and care when handling personal information. You won’t be able to alter these data protection clauses because they’re fixed terms handed down from the European Commission.
Protecting personal data while doing business in the EEA
For many businesses with customers in the EU, it’s likely that yourGDPR and processing of EU citizen personal data is occasional and low risk. If that’s the case, then there’s likely to be little change.
If you do handle higher-impact information, you will need to appoint a ‘European representative’ to act as your direct contact for data subjects in the EEA and EEA supervisory authorities. If you work in more than one country then you only need to appoint a representative in one of those. You need to provide details of this in your privacy notice, though you don’t need to register with supervisory authorities in the EEA country or notify the ICO.
For example – we recently met a company that manages wills for clients in Spain. If lost, this information could have a high impact on clients so the company should appoint a European representative in Spain.
Find out more about GDPR and Brexit
To find out more about GDPR and Brexit, particularly if you are doing business in the EEA, refer to the ICO guidance on data protection and Brexit. The ICO also provides advice for small businesses on data protection and no-deal Brexit.
Of course, the big changes will only take place if the UK leaves without a deal. If we leave with a deal there should be a transitional period to give us more time to prepare. Watch this space for more information!
Whether we leave with a deal, crash out with no deal or remain, Astrid will continue to support small businesses to help you keep complying with GDPR and UK data protection law. Contact us to find out more about how we can help your small business.
Protect your business - become and remain GDPR compliant with Astrid