When the UK left the EU on 31st January 2020, the GDPR continued to apply in the UK during the agreed transition period. On 1st January 2021, this period ended and the GDPR as it originally came into force in 2018 no longer applies to the UK. So what happens now?
Generally not much will change at the moment. As the GDPR had already been incorporated into UK law by the Data Protection Act 2018, its provisions do still form part of UK law. It has been retained as part of the larger body of EU law which remains part of the law in the UK after Brexit.
The UK made regulations to amend the GDPR to apply domestically in the UK, and therefore there is now the ‘UK GDPR’ which has been amended to update terminology and remove provisions which relate to EU membership or EU law, and the ‘EU GDPR’, which is the original GDPR still in force in the EU. The substantive provisions which create rights and obligations remain effectively the same, therefore if you were compliant with the GDPR before that should remain the case now. The main change from a policy perspective is that the UK data protection regime is now governed by the UK GDPR and the Data Protection Act 2018, so documents may need to be amended to make reference to this.
If you only process data within the UK, then the data protection laws of the UK will apply. However, if you also process data within the EU or the European Economic Area (EEA) or about individuals in the EU/EEA then you will also need to have reference to the EU GDPR. Therefore, if you have a branch in the EEA or customers or contacts there, you need to comply with both the EU and UK GDPR and may need to designate a representative in the EEA.
The main area where Brexit creates a difference at this stage is transfers of data from outside the UK. Personal data can be transferred freely within the EEA under the GDPR, which previously included the UK. After Brexit, the UK is a ‘third country’ for data protection purposes. This means that data cannot be transferred outside the UK – or into the UK from elsewhere – without appropriate safeguards or where certain circumstances apply. However, the UK has provided that there are no restrictions on sending data to the EEA, therefore such activities can continue. The position is more complicated for businesses which also receive data from the EEA.
The EU recognises some countries as having a sufficient level of data protection compliance to allow transfers of data through what are referred to as ‘adequacy decisions’. There is no such decision in place for the UK at the moment. However, the deal reached at the end of 2020 between the UK and EU agreed a period of four months – potentially extendable to six months – where data transfers can continue as before while the UK seeks an adequacy decision. Given the UK is highly aligned and has a high level of compliance because of its adoption of the GDPR, hopefully, such a decision will be made. However, the Information Commissioner currently recommends that any business which deals with transfers of data from the EU/EEA consider putting alternative measures in place prior to the end of April when the agreed transition period runs out.
Miller Samuel Hill Brown can provide further advice and guidance on such issues. To get in touch please use our online contact form.