This article will provide a basic overview following the end of the Brexit transition period, what it means for data privacy and what EU and UK businesses need to know in order to remain compliant under new laws and regulations.
In this article
- UK GDPR: An overview
- The Trade and Cooperation Agreement and Data Protection
- UK Data Adequacy Status
- What the Post Brexit Transition means for Hiring Representatives
UK GDPR: An overview
The Brexit transition period officially ended on December 31, 2020, and as the UK left the EU, the UK is now a third country according to the EU GDPR. Domestically, the UK retained the EU GDPR by incorporating it into local law and therefore, from January 1, 2021, businesses must adhere to what is now referred to as the UK GDPR. The UK GDPR now sits alongside the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) in the UK.
Companies that operate inside the UK must now comply with the local framework that now includes the UK GDPR. The UK GDPR retains the key principles, rights, and obligations as the EU GDPR, for example, the UK GDPR retains the same extraterritorial scope as the GDPR and is therefore also applicable to companies outside the UK. Furthermore, the UK GDPR adds new implications for cross border data transfers between the UK, the EEA and other third countries. Following the transition period, the EU GDPR now applies to the UK the same way it applies to any other third country. This means it is still applicable to UK organisations that offer goods or services to individuals in the EEA, or monitor their behaviour according to Article 3 of the EU GDPR.
Learn about the implications and next steps you can take for your business in our free Whitepaper: Data Protection after Brexit.
The Trade and Cooperation Agreement and Data Protection
The UK government announced that the Trade and Cooperation Agreement with the EU will create a "bridge" that allows the free flow of personal data from the EU/EEA to the UK throughout what is referred to as the Specified Period. This provisional measure will delay transfer restrictions for at least another four months, and may be extended to a maximum of six months.
Experts have described this decision as pragmatic and beneficial for organisations as it allows the flow of data between the EU and the UK while the EU continues to deliberate on granting an adequacy decision for the UK. Regarding data flows from the UK to third countries, the UK GDPR will continue to follow the same process as before the end of the transition period with the EU GDPR.
Recently, there have been reports that an adequacy decision for the UK will be granted soon, however there are many who suggest that if an adequacy decision is granted, it is likely to be challenged. Furthermore, the Information Commissioner’s Office (ICO) has issued guidance on the matter and recommended that organisations that work with EU and EEA businesses put in place alternative transfer mechanisms as a sensible precaution to ensure that there will not be any interruption to the free flow of data.
UK Data Adequacy Status
The European Commission is set to grant the UK data adequacy after concluding that the UK measures to protect the personal data of EU citizens is sufficient. Pursuant to Article 45 of the EU GDPR, the UK’s adequacy status will be reviewed every four years to ensure the privacy of EU citizens is secure. The interim regime will expire on June 30th and the European Commission’s decision must be fully implemented beforehand, otherwise the flow of data from the EU to the UK will require the implementation of other appropriate safeguards described under Article 46 of the GDPR.
What the Post Brexit Transition means for Hiring Representatives
Businesses that are still relying on an EU representative to ensure compliance with Article 27 EU GDPR should consider hiring a UK representative. Hiring a UK representative ensures data compliance for businesses without a UK establishment. Companies without an EU office selling into the EU will also need to appoint an EU representative. It is important to note that businesses without offices in the EU or the UK will need to hire both an EU and a UK representative if they fall under one of the requirements of Article 27 of the EU GDPR or UK GDPR, respectively.
With the end of the Brexit transition period, it is important for both UK and EU businesses to understand the new rules and regulations for both data flows and transfers. It is recommended that businesses continue to actively stay informed on upcoming measures, especially once the Specified Period ends in April at the earliest. The UK ICO recommends that UK and EU organisations work together to implement data transfer safeguards ahead of time in order to stay prepared.
Questions about compliance with EU GDPR/UK GDPR or searching for an external data protection officer?