After Brexit, a UK company may find itself subject to both the GDPR and the parallel Applied GDPR regime. Consequently, a data breach might well fall within the competence of both the UK ICO, and one or more EU Regulators.
In addition, EU companies are likely to face increased procedural challenges in terms of reporting data breaches. Currently, UK companies benefit from the “one stop shop” approach, whereby a UK company can rely on the ICO as its Lead Supervisory Authority (LSA) for GDPR matters, whereby the ICO will take the lead in any breach scenario, without the need to engage the other affected authorities directly.
Irrespective of whether we reach a Deal or No Deal Brexit, this one stop shop approach will no longer apply and a company will need to report a data breach separately to each affected EU Supervisory Authority. If you consider that, under GDPR, a company has 72 hours in which to notify a breach, a company needs to be sure that its internal Data Breach Procedures adequately address this issue.
If a deal is reached, then it is anticipated the status quo will continue as far as EU data transfers are concerned until 2020 and it is hoped that this transition period will allow enough time for the UK to obtain an “adequacy” ruling from the European Commission, in order to enable data to be freely transferred between the EU and the UK at the end of this transition period.
If Britain exits on with no deal that as at 29 March 2018, subject to further guidance being issued in this area, it will no longer be lawful to transfer personal data from the EAA, to the UK, without additional legal protections being put in place. We can help you with this so please contact me if you wish to discuss this further.
If your business needs advice on this subject, please get in touch.
City-trained senior solicitor Kym works in our Legal 500-rated corporate & commercial team. She is a leading sports, media and technology lawyer with over 25 years of commercial experience. She advises clients on a diverse range of commercial agreements to include contracts, new media, technology agreements and GDPR compliance.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.