Brexit GDPR

BREXIT GDPR Compliance Continuity

With the uncertainty of BREXIT looming,
what does this mean for your ongoing GDPR compliance?

How you comply with the GDPR depends on how the UK will be viewed by the EU after BREXIT, particularly with regards to data protection adequacy. Here we outline the 3 most likely scenarios:
Scenario #1 – The UK leaves the EU but remains within the European Single Market

In terms of your GDPR compliance requirements, not much should change. You would still require a DPO under the GDPR (rather than an Article 27 EU Representative), which could be based in the UK or any of the member states. In this case, however, companies may wish to appoint multiple DPOs (one in the UK and one in an EU member state) to protect themselves from future regulatory divergence and uncertainty.

Scenario #2 – The UK leaves the European Single Market with an Adequacy Decision

In this case, the free flow of data between the UK and the EU would be able to continue, though the compliance obligations would likely change from that of an EU-based DPO under Articles 37-39 to an EU Representative under Article 27.

Scenario #3 – The UK leaves the Single Market without an Adequacy Decision

While we would consider this the least likely scenario, we would envision two different ways
that this could unfold:

3.1 – EU-UK and Swiss-UK Privacy Shield – the UK and the EU (or Switzerland) agree on a data protection adequacy framework similar to that of the USA (Privacy Shield). In this case, data protection adequacy is provided by the framework itself. Organisations managing data subject to the GDPR would opt-in to the framework in order to facilitate cross-border data transfers. In this scenario, you would require an EU Representative, and furthermore, would need to account for variances in the dispute resolution process.
3.2 – The UK is classed as a third country – This means that the UK would be treated as any other non-EU country that holds no other data protection adequacy arrangements with the EU. In such a case, you would need an EU Representative within the EU, and as a company, would also need to establish a suitable mechanism for the protection of data under the GDPR. This may include drafting Binding Corporate Rules (BCRs) for your organisation, adopting Model Contractual Clauses in your Privacy Policy and Data Processing Agreement, etc. to maintain compliance.
How can I best be prepared for post-BREXIT GDPR compliance?

The best way to be prepared and to further mitigate your compliance risk is to plan ahead for the different possible scenarios while the situation continues to unfold. In this, Adaptant can provide you with support for a hassle-free (as far as the GDPR is concerned) transition and minimal disruption to your customers. It’s as easy as 1, 2, 3!

  1. Pre-BREXIT: Let us be your DPO in the UK through our newly-established UK Services entity;
  2. If the UK leaves the Single Market, we can swap you seamlessly to our EU Representative service (our main office is based in Germany);
  3. If the UK is classed as a third country or must negotiate an adequacy framework with the EU post-BREXIT, we can, in addition to acting as your EU Representative, help you draft BCRs, Privacy Policies, and Data Processing Agreements, etc. We can get you back on the path to compliance with minimal fuss and disruption to your EU-based customers across a range of data transfer mechanisms.

Pricing and Additional Services

In contrast to our competitors, our service pricing is flexible and based on a retainer rather than a recurring subscription model – we don’t believe in charging our clients for work not performed. This means, if no work is carried out on your behalf, you don’t pay*. However, when you need us, we will be right there for you. Peace of mind doesn’t have to come at a premium, nor should compliance be out of financial reach – especially for small companies and start-ups facing these challenges for the first time.

In addition to our GDPR service offerings, we can help you develop an operational scenario checklist and planning guide to assist in splitting your operations between the UK and mainland Europe.

For a full listing of our GDPR services click here .

*The retainer fee is paid upfront upon conclusion of our service agreement and is only drawn upon for work performed. Your retainer does not expire over time and is automatically rolled over at the end of the year. The precise retainer amount varies depending on the type of organisation, the type of data, the complexity of organisational data flows, etc.
Are you interested in more information about our services?

Please contact us directly and we would be happy to discuss options with you.