A leading lawyer has warned that the UK’s departure from the European Union may leave insurers and businesses struggling with the way they handle data.
Helen Bourne, Partner, at Clyde & Co, warned it remains unclear whether the EU will decide whether the UK’s data protection regime will be granted ‘adequacy’ status after Brexit. If it does not, Britain’s businesses, and their insurers, will need to be on alert.
Therefore organisations that rely on personal customer or employee data flowing between the UK and the EEA should be planning for a ‘no deal’ scenario to ensure that their data processing agreements are compatible with a new data privacy regulatory landscape.
“Whatever agreement is reached over the terms of the UK’s exit from the EU, there will be implications for data protection regulations, in particular those governing data flow from the EEA to the UK, and internationally from 1 January 2021,” she said. “From this date onwards, the GDPR will cease to be law in the UK. It will be replaced by the new ‘UK GDPR’, created by the Data Protection and Privacy Electronic Communications (EU Exit) Regulations 2019 (‘DPPEC’), passed under section 8 of the EU Withdrawal Agreement.”
Ms Bourne explained although the UK GDPR has incorporated almost all GDPR provisions verbatim into UK law, and both the UK and the EU have expressed a wish to minimise disruption post the transition period, it is still unclear if the EU/EEA intends to afford the UK ‘adequacy’ status.
“Without this status, continued uninterrupted free flow of personal data between the UK, the EEA and internationally will not be possible. Because two sets of rules will apply, complexity will be created when transferring and holding UK and EEA data as well as when managing cross-border data breaches,” she added. “Given the ongoing lack of clarity over Brexit and its longer-term impact on data privacy laws, UK organisations that rely on the continued cross-border data flow should keep abreast of updates from the ICO.
“Data privacy regulatory changes are likely, so it will pay to be on top of the detail and to have professional advice on hand to ensure compliance with the new data privacy requirements from 1 January 2021.”