In considering the appropriate lawful ground for processing, where employee data is not being processed so as to perform the employment contract or comply with employment law, assessments will have taken place as to relying instead on "legitimate interests". Employers will have taken care to minimise the special category data and criminal record information they hold and ensured this satisfies the additional restrictions of the Data Protection Act 2018.
A key question is therefore what impact will Brexit have on the many hours of compliance invested by UK employers? Well, the good news (at the risk of taking severe liberties with the word "good") is that no substantive change is anticipated in respect of the data protection rules that UK businesses will have to follow, regardless of what form Brexit takes.
The Information Commissioner's Office (ICO) website is giving prominent focus at the moment to providing advice and guidance to UK employers on the impact that Brexit will have on UK data protection law. It makes clear that since the UK Government plans to absorb GDPR into UK law at the point of exit, organisations should continue to implement GDPR compliance standards and existing ICO guidance.
However, it highlights there is a potential sting in the tail for businesses in the UK which send or receive any personal data from entities in the European Economic Area (EEA), should the UK leave the EU without a withdrawal agreement that specifically provides for the continued free flow of personal data.
In that eventuality, it is anticipated that UK businesses will still be able to transfer personal data from the UK to the EEA. This is because the Government has indicated there will not be any restrictions imposed on such transfers. However, the ICO advises that transfers of personal data from organisations within the EEA to the UK will be affected, unless the EU makes a formal adequacy decision that the UK data protection regime offers an adequate level of data protection.
While that may seem like it ought to be a straightforward matter (where the UK broadly replicates GDPR in domestic law), it is widely expected such a decision will take time and will not be in place at the point of exit. Indeed, the current political declaration accompanying the withdrawal agreement is premised on the work in relation to such an adequacy decision starting when the UK leaves the EU and endeavouring to be completed by the end of 2020.
To illustrate the practical difficulties this could give rise to, the ICO gives the example of a UK company which passes employee information to a centralised group HR service provided by its parent company in Germany. The UK company (in the absence of a UK restriction) should be able to transfer employee data to its Germany parent company. However, it is clear that the German parent company, having regard to its own obligations under GDPR, would not be able to transfer personal data as easily back to the UK entity.