• Data Strategy
  • GDPR
  • Privacy

08 Jun, 2018

Priority of DPA18 over GDPR & the challenge of Brexit

While the Data Protection Act (2018) is the current law of the UK and will remain so after Brexit, it is necessarily incomplete and must be interpreted in conjunction with the text of the GDPR.

Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP

Where there are no specific provisions or derogations contained within the DPA18, the GDPR’s text applies. For example, Article 37(1) specifies the conditions under which it is necessary to appoint a DPO, a matter on which the DPA remains silent.

The DPA18 is thus lex specialis, ie the specializing law for the UK in respect to personal data protection.

Note that at the time of writing (June 2018), there is some debate about the final shape of the UK’s participation in EU institutions relating to the GDPR.

The following are some key points:

  1. When the UK leaves the EU in April 2019, its membership of the European Data Protection Board (EDPB, the successor to the Article 29 Working Party established by the 2002 Directive) will automatically lapse. There is some doubt as to whether the U.K. Information Commissioner can retain a “seat at the table” in respect to the work of the EDPB.
  2. A second concern is whether the UK will automatically be granted “adequacy” status after Brexit. Adequacy is conferred on countries with an “adequate level of data protection”, however, this is a slow process. Both Japan and Korea are in the queue for recognition of their adequacy status, a process which has taken more than one year. It’s even possible that the adequacy status will not be granted, given some of the special derogations made for law enforcement and immigration control purposes.
  3. Thirdly, there is a concern about enforcement and judgements. The E.U. wants the European Court of Justice (CJEU) to represent the court of final appeal for all decisions on data protection. The U.K. rejects this court’s authority, which may lead to a conflict.
  4. Another implication of Brexit is the lack of clarity over EU Representation (Article 27), which requires controllers and processors in 3rd countries with high risk processing activities to appoint a local representative in the EU. When Britain leaves the EU, it’s not clear whether all of its controllers with substantial EU customers will also need to appoint EU representatives, and whether existing EU Representative contracts already in place can continue after Brexit, or whether they need to be relocated, eg to Ireland.
  5. Another concern of EU lawmakers is how the GDPR may develop and change over time, as laws are often amended. There is no mechanism built into the UK Data Protection Act (2018) to automatically include such changes as they occur, so there is a concern that the two laws may drift apart over time.
  6. The UK has long had a special relationship with US, especially in the areas of intelligence sharing and law enforcement purposes. The introduction of laws such as the US CLOUD Act may undermine provisions of GDPR in the minds of EU regulators, leading to potential conflicts about the lawful basis for 3rd country transfer mechanisms, especially in light of the legal challenges of the EU/US Privacy Shield — a mechanism that in any case will no longer apply to the UK after Brexit, requiring the establishment of a new UK/US Privacy Shield at the least.
  7. The Article 29 Working Party issued advice in 2016 about one-stop shopping — the ability for controllers in the EEA to benefit from the understanding that interactions with the supervisory authorities could potentially be limited to countries where the controller has its main establishment within the EU. When Brexit occurs, the UK will no longer be part of the EEA, and thus will be unable to benefit from one-stop shopping.

Chaucer offers advisory services on GDPR, as well as DPO and GDPR Representative services. Please contact us on DigitalAdvisory@Chaucer.com or 0203 934 1099.

Paul Gillingwater MBA, CISSP, CISM, RHCE

Associate Partner

GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is Head of IT Security and Data Privacy Team and Registered DPO at Chaucer and has worked for more than 30 years as a cyber security specialist and advisor to businesses with their governance, regulatory and compliance requirements. More recently he has advised on data protection and is a passionate advocate of online privacy rights education.

Blog 28 Sep, 2021

Data Strategy, Data Science & Analytics, Data Visualisation, Data, Data Ethics, Culture

Finding our equilibrium workplace

28 Sep, 2021

Jill Dawson

Head of Marketing

Blog 23 Jul, 2021

Data Strategy, Data Science & Analytics, Data Visualisation, Data, Data Ethics

Five risks of getting ‘return to work’ wrong and how to avoid them

23 Jul, 2021

Elodie De Fontenay

Insight Partner – Data & AI

Blog 06 Jul, 2021

Privacy, Cyber Security, Data, Ransomware, Information Security

Handling a ransomware data extortion attack

06 Jul, 2021