Changes in the Data protection after UK has left the EU

Following the UK’s departure from the European Union, these are the latest updates on how this affects GDPR and the sensitive issue of data protection.

Overview of the current situation:

  1. The General Data Protection Regulation (GDPR) has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, but with some technical amendments to ensure it can function in UK law. 
  2. The Information Commissioner remains the UK’s independent supervisory authority on data protection. 
  3. The UK is now deemed a ‘third country’ by the EU and so will require an adequacy decision to continue personal data transfers from the EU/EEA. However, the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months.
  4. Transfers of personal data from the UK can continue as before.
  1. Receiving personal data from the EU/EEA.

    – For the duration of the bridging mechanism, you can continue to receive personal data from the EU/EEA, but you should work with any EU/EEA organisations that transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU-to-UK personal data.

    – For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs).The ICO also provides more details  on what actions might be necessary and an interactive tool that allows you to build SCCs.

    -11 of the 12 third countries deemed adequate by are maintaining unrestricted personal data flows with the UK.
  2. Transferring personal data from the UK:

    – There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU.

    – For international data transfers from the UK to other jurisdictions, further information can be found on ICO website.
  3. Holding personal data of individuals based outside the UK (whether in the EEA or not) which is processed in the UK but acquired before 31 December 2020:

    – Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect.

    – Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
  4. Appointing EU-based representatives

    – Some UK data controllers and processors may also need to appoint EU-based representatives if they do not have an office, branch or other establishment in the EEA but offer goods or services to individuals in the EEA or monitor the behavior of individuals in the EEA.
  5. Updating documentation

    – Any references to EU law, UK-EU transfers and your EU representative (if you need one) will need to be updated in your privacy notices, DPIAs and other documentation.