Yes, as long as the United Kingdom (UK) is still formally a member of the EU the European privacy and data protection legal framework is still applicable to the UK. It is expected that it will take some years before the UK is formally not a member of the EU anymore. After the UK has formally left the EU, it will depend on the new relationship between the EU and the UK under what conditions data transfers can take place.
The new data protection law (the General Data Protection Regulation) which will be applicable from the 25th of May 2018 onwards in the EU, will probably not directly apply in the UK, assuming the UK will have left the EU by then, as EU Regulations are only directly applicable in the EU Member States. If the UK would like to continue to trade with the EU it has to make sure to have an equivalent/adequate level of privacy and data protection.
If the UK is still formally a Member State of the EU when the GDPR becomes applicable, it will be applicable there too and organisations need to comply with the GDPR, because a Regulation is directly applicable and does not need implementation in national law (as was the case with the current Directive 95/46/EC).
The UK will formally be qualified as a third country and it is yet unclear whether they will become part of the EEA or not.
When the UK decides to not or only partly adopt the GDPR, the European Commission can decide that the privacy and data protection legislation in the UK can be deemed adequate, so whether it provides enough safeguards to transfer data to the UK. If not deemed adequate, additional safeguards should be adopted when transferring personal data from the EU to the UK.
Controllers that are bound by the GDPR need to ensure compliance with the law, including when contracting a processor to process data on their behalf. When contracting a processor in the UK, it should be assured that the requirements of the GDPR are met. Furthermore, many obligations of the GDPR will apply to organisations located anywhere in the world that process EU residents’ personal data when offering goods or services to them or monitoring them. British processors need to comply with these obligations when processing EU citizen’s personal data. When having long term contracts with processors in the UK it is important to assess and when necessary amend the contracts to be sure adequate privacy and data protection is part of them.
Binding Corporate Rules (BCRs) allow companies to make intra-organisational transfers of personal data with adequate protection across borders. BCRs are mainly used outside the EU to ensure an adequate level of data protection. Transferring personal data through BCRs remain valid with the UK leaving the EU.
Would you like to know more about the possible privacy and data protection consequences of a Brexit for your company? Contact us!