GDPR and Brexit – will UK companies lose access to One-Stop Shop?

Now that the GDPR has come into force across the Union and everyone is busy removing themselves from multiple mailings lists that they never realised they were in, the focus is shifting to what GDPR means for the UK in the context of Brexit. 

One-Stop-Shop (OSS)

The idea of OSS is that it will allow your organisation to deal with a single lead supervisory authority (LSA) for most of its processing activities. For the OSS to apply to your organisation, it must be established in the EU and be engaged in cross-border processing. So, if you have a company in Ireland that's transferring data from Ireland to the rest of Europe – then you will be regulated by the Irish Data Protection Commissioner. 

What has the UK asked for?

Britain instead wants a more stable system that allows the Information Commissioner’s Office (ICO) to sit on the body that regulates and set guidelines. They also want the ICO to be a part of the “one-stop-shop” mechanism.

What is the EU offer?

The EU’s Brexit guidelines, published in March, outline that a future legal framework for data sharing “should be governed by union rules on adequacy”, meaning that the EU would recognise data sharing if the UK’s standards stayed in alignment with the EU. The UK would essentially be the same as the US. 

This is not a “one-stop-shop”. Barnier said the UK wanted to both change the bloc and have a say in EU matters after Brexit. Barnier said that such privileged access would impact the EU’s ability to make its own decisions.

He said: “Let’s be clear: Brexit is not and will never be in the interest of EU companies. And above all, it would be contrary to the interests of our companies to give up our autonomy of decision.

“This autonomy allows us to set standards for the whole of the EU but also often to see these standards taken over the world... It is the normative power of the union of what is often called ‘the Brussels effect. And we cannot, we will not be able to share this decisional autonomy with a third country, undoubtedly a former member state but which no longer wants to be in the same legal ecosystem as us.”

What's next for the UK

This is a good example of how Brexit will impact the UK. There is little doubt that in 10 months the UK will have adequacy on data sharing.  However, it will probably not have access to a “one-stop-shop” or a seat on the European Data Protection Board (EDPB).
So while the end-user will see no difference, this will be disruptive for UK companies. After 10 months of enjoying OSS, they will be exposed to multiple regulators and languages that exist within the EU.

A far from the ideal scenario.