The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

Deal or No Deal: Brexit or No Brexit – How Does this Affect GDPR?

Subscribe to our newsletter

By Nick Murphy, Associate Director, GDPR Integrated Technology and Solution, 3 Lines of Defence Consulting.

All eyes are on the government right now. Parliament is up and running again – for now! A No-Deal Brexit is still looming ever larger and the clock is still ticking. The time for UK firms to take action on all things data related is now.

If Brexit is cancelled or delayed until we get a deal then there is no change to your existing plans. If we get a deal then part of that deal will focus on data privacy.  Remember, on the Big Picture side whatever happens the Data Protection Act 2018 is in UK law. So on top of the items we highlight below, you will still need to ensure you have the policy, process, training and appropriate systems in place.

So what are the specific immediate actions you need to think about?  If we leave without a deal on Halloween then the line is drawn and things need to be implemented, or changed, immediately!

Are you aware of what a Deal or No Deal means to your data flows? Are your customers, or data Subjects, aware of what it means? If they haven’t started asking questions yet, they surely will soon and will you be able to satisfy their requests? Lets take a look at the scenarios, and what they may require.

NO DEAL: The UK will fall into the category classification of a Third Country. As a result, when personally identifiable information (PII) is transferred from firms in EU member states to firms in the UK, the rules state that no data will be transferred outside of the EU without a pre-agreed adequacy agreement being in place. This adequacy agreement is very likely to NOT be in place by 31st October.  So companies need to take action now to avoid any issues or penalties when processing PII data from EU citizens.

One measure is to use standard contractual clauses, or model clauses between data controllers in the EU and UK. The ICO states “The clauses contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.”

The ICO has published standard contractual clauses for scenarios where data will be transferred from EU data controller to non-EU data controller, these should be looked at if you don’t have one in place (see ICO links below).

However, for EU data processors transferring data to data controllers in the UK, there are no EU-approved standard contractual clauses, and any exceptions, such as those outlined in Article 49 of the GDPR deemed not for use on a regular basis, or for large numbers of data subjects.

This means that the exceptions are not suitable for business as usual, and once again, standard contractual clauses should be sought between data controllers.

DEAL: if we leave with a deal in place at the end of October, or a date in the future, then that is only the start – not the end – of what we need to consider with EU PII data. Transition period will kick in. Let’s look at two scenarios; if the UK leaves with a deal but without specifically agreeing an adequacy agreement then you will again need to look to establish SCC’s to ensure that PII data can continue to flow between you and the EU. If the UK leaves with a deal and with an adequacy agreement is granted, which is the best-case scenario, the adequacy agreement process could take as long as two to three years to be fully established!

This means that firms really need to take some steps to understand the implications and mitigate the risks these present.

There are other options to consider, outside of SCC’s, when needing to process data to/from EU countries when the UK leaves, these are:

Nominating an EU Representative – Upon exit, UK organisations may appoint a suitable representative in the EU.

No One Stop Shop – The One Stop Shop means organisations who are conducting cross-border processing within the EU, can generally deal with one single European supervisory authority, who would take action if required on behalf of other supervisory authorities.

Binding Corporate Rules (BCRs) – BCRs are operate within multinational groups and apply to the restricted transfers of personal data from the group’s EU entities, however BCRs must be approved by an EU supervisory authority in a country where one of the companies is based.

I’d strongly recommend taking another look at your data flows (as you did pre GDPR) and identify what data you have coming into the UK on EU data subjects (including staff, contractors, clients, investors, etc), who the data controller is and who the data processor is. Try and rework the flow to ensure that it is transferred from controller to controller and that standard contractual clauses are included and adhered to. Engage the experts if you are struggling to understand what PII data is, where it is coming from, where it is held and who the agreements need to concern. We, at 3LDC know your sector and we know data protection, so can help bring some clarity and relevance to the key roles, clauses and exceptions that you will encounter.

Again, don’t wait – act now, this will not go away any time soon.

Subscribe to our newsletter

Related content


Recorded Webinar: Regulatory change management – challenges, solutions and case studies

Regulatory change has become part of the fabric of capital markets. It has also become increasingly complex as more regulations are introduced, significant amendments are made frequently, and small changes are made on a rolling basis – the whole made more difficult by jurisdictional interpretation and the UK’s amended regulatory regime post Brexit. If keeping...


A-Team Group Names Winners of Data Management Insight Awards 2021

A-Team Group has named the winners of its prestigious 2021 Data Management Insight Awards. The annual awards, now in their ninth year, recognise leading providers of data management solutions, services and consultancy to capital markets participants. Award categories ranged from best data lineage solution to best data quality analysis tool, best standards solution, best corporate...


TradingTech Summit Virtual (Redirected)

TradingTech Summit (TTS) Virtual will look at how trading technology operations can capitalise on recent disruption and leverage technology to find efficiencies in the new normal environment. The crisis has highlighted that the future is digital and cloud based, and the ability to innovate faster and at scale has become critical. As we move into recovery and ‘business as usual’, what changes and technology innovations should the industry adopt to simplify operations and to support speed, agility and flexibility in trading operations.


Regulatory Data Handbook 2021/2022 – Ninth Edition

Welcome to the ninth edition of A-Team Group’s Regulatory Data Handbook, a publication dedicated to helping you gain a full understanding of regulations related to your organisation from the details of requirements to best practice implementation. This edition of the handbook includes a focus on regulations being rolled out to bring order and standardisation to...