3 min read

Writen by Zlatko Delev

Posted on: April 22, 2021

Changes in the Data protection after UK has left the EU .

Following the UK’s departure from the European Union, these are the latest updates on how this affects GDPR and the sensitive issue of data protection.

Overview of the current situation:

  1. The General Data Protection Regulation (GDPR) has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, but with some technical amendments to ensure it can function in UK law. 
  2. The Information Commissioner remains the UK’s independent supervisory authority on data protection. 
  3. The UK is now deemed a ‘third country’ by the EU and so will require an adequacy decision to continue personal data transfers from the EU/EEA. However, the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months.
  4. Transfers of personal data from the UK can continue as before.
  1. Receiving personal data from the EU/EEA.

    – For the duration of the bridging mechanism, you can continue to receive personal data from the EU/EEA, but you should work with any EU/EEA organisations that transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU-to-UK personal data.

    – For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs).The ICO also provides more details  on what actions might be necessary and an interactive tool that allows you to build SCCs.

    -11 of the 12 third countries deemed adequate by are maintaining unrestricted personal data flows with the UK.
  2. Transferring personal data from the UK:

    – There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU.

    – For international data transfers from the UK to other jurisdictions, further information can be found on ICO website.
  3. Holding personal data of individuals based outside the UK (whether in the EEA or not) which is processed in the UK but acquired before 31 December 2020:

    – Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect.

    – Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
  4. Appointing EU-based representatives

    – Some UK data controllers and processors may also need to appoint EU-based representatives if they do not have an office, branch or other establishment in the EEA but offer goods or services to individuals in the EEA or monitor the behavior of individuals in the EEA.
  5. Updating documentation

    – Any references to EU law, UK-EU transfers and your EU representative (if you need one) will need to be updated in your privacy notices, DPIAs and other documentation.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy