Data protection and Brexit

How the UK’s withdrawal from the EU affects data protection in the UK: the EU GDPR, UK DPA 2018 and UK GDPR

Brexit and data protection in the UK

The Brexit transition period ended on 31 December 2020. UK organisations that process personal data must now comply with:

  • The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
  • The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offers goods and services to, or monitor the behaviour of, EU residents.

Learn more about complying with the DPA 2018 and UK GDPR.

EU General Data Protection Regulation – A compliance guide.

Free green paper: Brexit and Data Protection

Download our free green paper “Brexit and Data Protection: A quick overview of the UK GDPR” to learn more about the UK GDPR, how it differs from the EU GDPR, and what you need to do to ensure your data processing remains in compliance with the law after Brexit.

Download now

Do you still process EU residents’ personal data?

If you are a UK organisation bound by the EU GDPR, from 1 January 2021 you may need to:

  • Appoint an EU representative;
  • Identify a lead supervisory authority in the EU;
  • Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
  • Update your policies, procedures and other documentation in light of the changes you make.

Learn more about complying with the EU GDPR

New data protection rules

IT Governance can help you easily amend your current policies and procedures to ensure they remain compliant with the law now the Brexit transition period has ended.

Learn more

Data protection law after 31 December 2020: will the GDPR apply in the UK after Brexit?

Although the EU GDPR itself no longer applies to UK residents’ personal data, UK organisations must still comply with its requirements after this point.

First, the DPA 2018 already enacts the EU GDPR’s requirements in UK law.

Second, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that works in a UK context after Brexit alongside the DPA 2018.

This new regime is known as ‘the UK GDPR’.

There is very little material difference between the EU GDPR and the UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR’s requirements.

Learn more about complying with the DPA 2018 and UK GDPR

The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 continue to apply for law enforcement and intelligence purposes.

Third, any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will have to comply with the EU GDPR, and will have to make some changes to their data processing activities.

Learn more about complying with the EU GDPR

How does Brexit affect international data transfers?

Now the Brexit transition period has ended, the UK is a ‘third country’ – the name given to all countries outside the EEA (EU member states, plus Iceland, Liechtenstein and Norway).

Any transfers of personal data from the EEA to the UK and vice versa now count as international transfers rather than cross-border transfers.

International transfers of personal data from the EU to the UK

Under the EU GDPR, international transfers are permitted only in certain circumstances:

  • If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
  • If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
  • Based on approved codes of conduct. No such code has been agreed for transfers from the EEA to the UK yet.

These mechanisms are explained below.

Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.

Adequacy decisions

To date, the European Commission has adopted 12 adequacy decisions:

  • Andorra
  • Argentina
  • Canada
  • The Faroe Islands
  • Guernsey
  • Israel
  • The Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay

Talks with South Korea are ongoing.

The UK is seeking an adequacy decision, but until one is in place UK organisations are advised to use SCCs to transfer EU residents’ personal data.

Binding corporate rules and standard contractual clauses

In the absence of an EU adequacy decision, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.

SCCs can be found on the European Commission’s website

It is important to note that, now the UK has left the EU, the ICO (Information Commissioner’s Office) is no longer a supervisory authority under the EU GDPR, and cannot approve BCRs for transfers of personal data from the EEA to the UK.

Such BCRs, therefore, need to be approved by a supervisory authority within the EU.

UK organisations that make onward transfers of EU residents’ personal data to processors in the US

The EU–US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by the ECJ (European Court of Justice) on 16 July 2020 following legal action by the Austrian privacy campaigner Max Schrems.

In November 2020, the EDPB published its recommendations on supplementary measures to ensure compliance with the EU’s level of protection of personal data, which EU data controllers that use US data processors, and US processors that process the personal data of EU residents, should take into account when making such transfers.

International transfers of personal data from the UK

The UK government has said it will recognise adequacy decisions made by the European Commission before the end of the transition period, but will keep this arrangement under review.

Potential penalties for non-compliance

Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.

Organisations that process EU residents’ personal data should therefore put measures in place immediately to ensure they comply with the law after 31 December 2020.

Speak to a data protection expert

If you need guidance or advice on how Brexit affects your organisation’s data protection obligations, get in touch with one of our experts.
Call +44 (1474) 55 66 85 or request a call back using the form below.

Contact us

IT Governance products and services

We have everything you need to ensure you remain compliant with data protection law now the Brexit transition period has ended, including:

This website uses cookies. View our cookie policy
WIN £100