Last reviewed 24 February 2020

Amidall the arguments about trade, financial services and fisheries, discussions about the forthcoming negotiations between the UK and the EU regarding their future relationship tend to neglect one very important area — data protection.

The storage and use of personal data by organisations was brought into sharp focus in 2018 when they were required to take account of the requirements of the EU’s General Data Protection Regulation (GDPR).

In that context, the Government has made clear, personal data refers to any information that can be used to identify a living individual, including a customer’s name, their physical or IP address, or HR functions such as staff working hours and payroll details.

While businesses should all now have their GDPR policies in place, they need to be aware of the possible impact of the post-Brexit negotiations.

The Information Commissioner's Office (ICO) has explained: “The UK will leave the European Union on 31 January and enter a Brexit transition period. During this period, which runs until the end of December 2020, it will be business as usual for data protection”.

It is what happens after that date that will increasingly cause concern for businesses that currently exchange data freely with the EU Member States.

If this is to continue after 31 December 2020, it is likely that the EU will have to adopt what is known as an adequacy decision, essentially agreeing that the UK’s provisions for data protection are at least as good as those applying in the Union.

The quickest EU adequacy decision agreed so far was for Argentina, and that took 18 months; the UK’s transition period now has only 10 months to run.

The Government has already said that it will adopt the GDPR into domestic law at the end of the transition period but this does not necessarily mean that the EU will automatically deem it to be adequate.

This is because the European Union (Withdrawal Agreement) Act 2020 allows the UK courts to diverge from the case law of the EU’s Court of Justice (CJEU) so the two sides could begin to drift apart on their interpretation of the GDPR.

“It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future,” the ICO has advised.

It has accordingly prepared a suite of guidance and materials (available at https://ico.org.uk/for-organisations/data-protection-and-brexit) to help businesses to prepare for all scenarios, including a no-deal Brexit.

Comment by BrightHR Chief Technological Officer Alastair Brown

Employers won’t be surprised that the future landscape of data protection in the context of Brexit is unclear and the ICO’s own admission on that score doesn’t instil any confidence.

It’s a complicated area in the first place that employers are still getting to grips with, despite the new data protections laws being in play for almost two years now.

The best advice for employers is to sit tight and wait for decisions to unfold, using ICO’s “any eventuality” guidance as a signpost for any actions needed.