CONTACT US 0131 226 8200

Latest Blogs

Brexit Implications and GDPR

Believe it or not, we have been enjoying a period of relative stability during 2020 – at least when it comes to Brexit. That is because we are still in the transition period, set to expire at midnight on 31 December, 2020.

Given the current state of affairs (at the time of publication), it seems increasingly likely that the UK will leave the EU without a withdrawal deal. What does this mean for small businesses and how they handle data protection?

The good news is that the substance of the General Data Protection Regulations (GDPR) will be retained in UK domestic law, and the framework at large will be under domestic review as well. That said, there is not any indication that data protection would be dramatically changed in the near future. So, by and large, businesses can continue to operate as they have been, except for two pretty significant departures from business-as-usual.

First, you will need to determine if your business will be required to appoint an EU representative. You will need to do this if you do not have an office in the EU or EEA state but offer goods and services to or monitor the behavior of individuals in the EU. If your business is processing personal data only occasionally, is of low risk to the data protection rights of the individuals in question, and does not involve large-scale use of special category data, then you will not need to appoint an EU representative. However, ‘occasional’ processing is intended to cover the one-off situation which does not form part of your regular business. So even if only a small proportion of your customers are in the EU, this is unlikely to mean you are only ‘occasionally’ processing there.  .

The UK government has stated that it intends for this requirement to be reciprocal (meaning EU businesses will need to appoint a UK-based representative for data privacy regulation). 

The second notable exception is that once the transition period ends, then the GDPR rules dealing with data transfers outside the EEA will apply to personal data that is being transferred into the UK from the EEA. Essentially, the UK will be classed a “third country”, which means that data transfers are restricted unless there are certain protections or exceptions.

The European Commission is able to determine whether such a third country is adequately protected by issuing an ‘adequacy decision’. While the government is currently asking the commission to grant the adequacy decision by the time the UK leaves, there is a good chance the UK will leave without such a decision, meaning that personal data flows from the EU to the UK will be restricted. There are several ways businesses can continue to operate without an adequacy decision using ‘appropriate safeguards’.

For now, the best option for businesses to ensure there is no interruption to data flow from the EU is to execute standard contractual clauses.  Unfortunately, whether this on its own is going to be sufficient to comply with data protection legislation has been recently thrown into doubt by the European Court of Justice decision in the Schrems II case. This case was principally about whether the EU/US Privacy Shield programme was fit for purpose (turns out it wasn’t) but has ramifications on how standard contract clauses are used. Hopefully guidance from the ICO to bring some much needed clarity will arrive soon.

If you have any further questions about what SMEs can expect when it comes to data privacy after the transition period, and particularly if you are concerned about the need to appoint an EU representative, then please contact our Data Privacy Partner, Andy Harris ( or any member of our IP, Data and Contracts team.

Getting the Most Out of Homeworking
People Update

Contact us today