*Updated October 31, 2019 – Brexit will take effect on January 31, 2020*
How Did We Get Here?
In June of 2016, the people of Great Britain voted to leave the European Union. “Brexit” as it’s come to be known, is scheduled to take effect on October 31, 2019.
While it was initially thought a formal withdrawal agreement would be negotiated, no deal has been reached as of October 16th.
As the clock ticks, it appears likely that the UK will leave the EU without a deal from Brussels. This rapidly approaching deadline will create complications for a number industries – including ecommerce. Here is what you need to know about Brexit and GDPR.
A No-Deal Brexit is Technically Illegal, According to Parliament
Much of the controversy surrounding a no-deal Brexit stems from its potential effect on trade. Without a deal with Brussels, Britain’s trading relationship with the EU would become more complicated.
For this and other reasons, Parliament passed the Benn act in September – a resolution requiring Prime Minister Boris Johnson to request a deadline extension by Oct. 19 in the absence of a deal with the European Union.
In spite of this, Johnson has insisted that Brexit will continue, with or without Parliament’s approval. This clash of power has complicated an already complex situation – and means that a No-Deal Brexit is a possibility.
In The Case of No-Deal, GDPR Would Essentially Still Apply
Even if the UK leaves the European Union, GDPR will still be active.
Alhough GDPR is only technically applicable to EU member countries, the UK was one of GDPR’s leading proponents when it was first introduced. Thus, the UK has publicly stated that it intends to incorporate GDPR, in its entirety, into its own set of laws.
In addition, the UK has a vested interest in maintaining these guidelines.
Assuming it leaves without a deal, the UK will be given “3rd country status. ” This would create obstacles for the transfer of data between the UK and EU countries.
However, the UK will almost certainly apply for “adequacy” status. “Adequacy” is a special designation offered to trusted nations that removes many of the restrictions Brexit would initially cause.
Even though the UK is not technically obligated to continue following GDPR, it plans to continue doing so.
If You’re An American Company and Already Compliant with GDPR, You’re in Luck
Since GDPR will continue to apply, American companies can, for the most part, breathe a sigh of relief. The new rules that are expected to go into effect apply almost exclusively to British companies performing data transfers between the UK and EU.
If you do business with Britain (but don’t transfer data between the UK and the EU), you don’t need to take much action, if any.
Britain is intent on keeping its data rules compatible with the EU’s; thus, there is expected to be very little change. However, please read this notice from the UK government on the subject, to ensure you don’t need to make any changes.
If You’re a British Company, There Are Additional Steps You Must Take Before Brexit
While the rules for outsiders will not be changing very much, most businesses within the UK that do businesses with the EU must take additional steps to remain compliant. Specifically, this applies if you transfer data between European countries and the UK.
In the vast majority of cases, the process is fairly simple. To remain compliant, you should review your contracts and add Standard Contractual Clauses (SCCs) or Alternative Transfer Mechanisms (ATMs). In simple terms, these are data transfer agreements which must be accepted by the sender and receiver.
The specifics of implementation vary greatly by business. Fortunately, the UK has created a tool for businesses to determine appropriate action, which is available here.
While most UK businesses will need to take such steps, multinational businesses may be able to rely on Binding Corporate Rules (BRCs) for intra-group transfers, which many companies of this type already have in place.
While a No-Deal Brexit is technically illegal at this point, it nevertheless remains a distinct possibility. Companies that do business with the UK should take appropriate steps to prepare.
Companies located outside of the UK will likely not have to take much action, (other than remaining compliant with GDPR). However, companies within the UK that do business with the EU should use utilize Standard Contractual Clauses to maintain the flow of data.
To find out how to implement them for your specific business, visit the website of the International Communications Office to ensure you remain compliant.
Looking for Ways to Increase Your Conversions?
UpSellit’s Fall Seasonal Marketing Guide is packed with new insights and ideas to optimize your fall strategy. It’s a great resource and it’s totally free! Make the most of the season and download it today!