In late Spring 2018, inboxes across Europe were being clogged up with emails from businesses, eager to explain how their privacy notices had been updated to cater for a new EU law: GDPR.
Roughly 18 months later, Northern Irish businesses ought now to be considering how they may continue to be subject to the requirements of GDPR and equivalent UK legislation from the end of the year, including how GDPR will continue to apply to their customers and suppliers in the EU27, and whether GDPR might block the sending of personal data from the EU27 to the UK.
As of the end of the Transition Period, the UK will become a “third country” for the purposes of GDPR and, unless a Brexit deal is reached or a decision of adequacy is made by the European Commission before then (in which case, businesses would breathe a sigh of relief that not much as much needs to change in how they operate), additional measures and contractual documents will be needed to ensure cross-border data transfers into EU27 can continue, privacy notices will (again) need to be updated, data maps will have to be re-drawn and representatives based in EU27 may have to be appointed. We have been assisting numerous clients in better understanding, and preparing to comply with, their obligations in that regard.
The risk here is not just from data regulators (some of whom may be prepared to take a relaxed approach, in the early stages at least), but from nervous customers in EU27 who need to be reassured that the UK company has taken the appropriate steps for personal data to continue to be sent across the border. Indeed, this could pose an opportunity for UK businesses to position themselves to provide that reassurance and, not only retain their own customer base, but perhaps capitalise on a competitor’s lack of preparedness.
Paul is an Associate Director in the Tughans Contracts & Technology team. If you wish to speak to Paul about how Brexit may affect your business in relation to Data Protection Compliance, please get in touch via email email@example.com.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.