GDPR and Brexit, The Story So Far
The United Kingdom officially left the European Union on the 31st of January 2020.
After exiting the Union a 12 month transition period ( began, so the two parties could attempt to form an agreement to strengthen their relationship. Within this period, data protection was governed by both the EU and UK versions of the General Data Protection Regulation (GDPR). The materials of these align with one another. All of the principles, obligations, and rules remained the same regardless of the acts. Only technical amendments were made to make it operable in UK law.
What Happens Now?
Now that the transition period has ended, the United Kingdom GDPR Act has become the main piece of legislation within British law surrounding data protection. This is additional to the 2018 Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR). As previously mentioned, the UK GDPR Act is essentially the same as the EU version, but the terminology has been slightly amended to work within UK law.
There is now an interim period of no longer than 6 months which is due to complete at the end of April, however, it can be extended by another 2 months, if the EU does not deem the UK as having adequate data protection laws. Within this period, when it comes to data protection the United Kingdom is viewed as being part of the European Union. Hence, data can travel freely between the UK and EU (including the European Economic Area (EEA) States).
How Does This Impact My Business?
As a part of a business, you do not need to immediately make changes to your data protection procedures in place. However, this does not mean that you should wait until the end of the period to change them. You and your business should be as prepared as possible, so when the period ends you can transition smoothly with the new rules, regulations, and procedures being adopted.
The Information Commissioner’s Office (ICO) and the government have outlined some actions which can help you best prepare your businesses now. These include, but are not limited to:
- Considering appointing a UK Representative if your business offers goods and services to the UK or monitors UK individuals, without a UK branch, office, or other establishments. These principles apply to UK businesses when deciding to appoint a European representative.
- Keeping updated with the progress of the events within the interim period. These can be accessed through both the ICO and Government websites.
- If your business receives personal data from the EEA then adopting alternative safeguards before the 31st of April 2021 will be necessary.
Data protection laws have not changed to the extent where you and your business need to be taking drastic action.
The government and ICO have advised that business owners consider how the laws may change at the end of the interim period, and best prepare themselves for a smooth transition. It is very likely that by the end of the interim period, the UK will have been granted adequacy by the EU. This is since the UK laws are aligned with the current EU data protection regulations. But this is not a given, therefore you should keep updated with the progress of the adequacy assessment and make informed decisions from these.
Roundup of Useful GDPR Resources
Please see our favourite useful websites that provide more information on the impact of Brexit on data protection:
- ICO’s “Statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process.”
- ICO’s “Information rights at the end of the transition period – Frequently Asked Questions.”
Data Protection After Brexit Data Protection After Brexit Data Protection After Brexit Data Protection After Brexit