What to pay attention to when it comes to data protection against the backdrop of an unregulated Brexit?

Brexit und die Auswirkungen im Datenschutzgesetz

After the United Kingdom (UK) leaves the EU, the transition period ends on December 31, 2020. This article draws the attention to during and especially after the transition period and the subjects to be prepared – only in case if UK might slip into the status of a β€œthird country” that does not comply with the European level of data protection. When is the subject relevant for a Swiss SME?

  • You have a branch office in the UK.
  • Use service providers from the UK to perform your services (goods suppliers).
  • You use UK-based cloud/SaaS services, online marketing tools.

Affected groups of people:

  • Your customers.
  • Users of your online services or website visitors.
  • Employees or applicants to online application services.

If the UK becomes a third country that is insecure in terms of data protection law, the above-mentioned conditions will be at risk of data protection breaches after the transition phase. According to GDPR, all countries outside the EU and the EEA are so-called “third countries”, i.e. personal data may not be transferred to these countries without further ado.

If the EU Commission declares the UK to be a safe third country under data protection law, such as Switzerland, the adequacy decision would have to be made at record speed. If this does not happen, you have to take care of the data protection level yourself.

UK will be cut off from EU in terms of data protection without adequacy decision and will have to be treated like Russia, China…. But even then, there are ways to securely regulate data transfers and cooperation with UK companies under data protection law, such as through

  • Contractually required data transfers
  • Consents from data subjects
  • Other guarantees (Binding Corporate Rules…)

We recommend reviewing data processing procedures, privacy statements, consents and access procedures regarding transfers of personal data. Be prepared that UK may lose its secure level of data protection.