Brexit and data protection in the UK
The Brexit transition period ended on 31 December 2020. UK organisations that process personal data must now comply with:
- The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offer goods and services to, or monitor the behaviour of, EU residents.
Learn more about complying with the DPA 2018 and UK GDPR
Free PDF download: Brexit Checklist
Download our free checklist to track the key actions your organisation needs to take to ensure your data processing activities remain safe
Data protection law after 31 December 2020: does the GDPR apply in the UK after Brexit?
No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31 December 2020.
However the UK’s DPA 2018 has already enacted the EU GDPR’s requirements into UK law and, with effect from 1 January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018 and merged it with the requirements of the EU GDPR to form a new, UK-specific data protection regime that works in a UK context after Brexit as part of the DPA 2018.
This new regime is known as the ‘UK GDPR’.
UK organisations should therefore align their GDPR documentation with the requirements of the UK GDPR. In particular, Article 30 records, privacy notices, DPIAs (data protection impact assessments), DSARs (data subject access requests) and documentation covering international data flows must all reflect the UK’s independent jurisdiction and the specific scope and wording of the UK GDPR.
Any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will also have to comply with the EU GDPR, and will reflect this in its process documentation.
Learn more about complying with the DPA 2018 and UK GDPR
How we can ensure your transition runs smoothly
IT Governance can help you easily transition your current policies and procedures in line with new legislation while minimising business disruption. Our data privacy experts will guide you step by step to ensure you remain compliant.
Find out the practical implications of the key changes and what they mean for your business with this half-day training course.
Get a detailed review of your organisation’s current processes and documentation and easily identify any gaps.
Appoint an EU representative to meet your Article 27 obligations and enable EU data subjects and supervisory authorities to contact your organisation if it is not based in the EU.
Establish your level of compliance with the EU GDPR’s strict rules on international transfers, and receive a practical, step-by-step action plan to resolve any issues.
Do you still process EU residents’ personal data?
If you are a UK organisation now bound by the UK GDPR, you will also be bound by the EU GDPR. In addition, you may now need to:
- Appoint an EU representative;
- Identify a lead supervisory authority in the EU; and/or
- Update your policies, procedures and other documentation in light of these changes.
The EU GDPR’s requirements as originally implemented by Parts 3 and 4 of the DPA 2018 continue to apply – but no longer within the EU’s jurisdiction – for law enforcement and intelligence purposes.
Learn more about complying with the EU GDPR
How does Brexit affect international data transfers?
Following Brexit, the UK is a ‘third country’ – the name given to all countries outside the EEA (EU member states, plus Iceland, Liechtenstein and Norway).
International transfers of personal data from the EU to the UK
Under the EU GDPR, international transfers are permitted only in certain circumstances:
- If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
- If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
- Based on approved codes of conduct.
These mechanisms are explained below.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.
On 28 June 2021, the European Commission announced that it had adopted an adequacy decision in respect of the UK’s post-Brexit data protection regime.
This means personal data can continue to flow from the EEA to the UK, without the need for organisations to use SCCs or other means of ensuring that appropriate safeguards apply.
The UK’s data protection regime will be deemed adequate for four years, after which the adequacy findings will be renewed only if the UK continues to afford EU residents’ personal data an adequate level of protection, in line with the EU GDPR. If UK data protection law deviates from the EU GDPR to a significant extent, the Commission could withdraw the decision.
To date, the European Commission has adopted 13 adequacy decisions:
- The Faroe Islands
- The Isle of Man
- New Zealand
- The UK
Talks with the Republic of Korea are ongoing.
Binding corporate rules and standard contractual clauses
In the absence of an EU adequacy decision, organisations outside the EEA that process EU residents’ personal data must rely on other safeguards, such as BCRs or SCCs.
The European Commission issued two new sets of SCCs in June 2021.
It is important to note that, now the UK has left the EU, the ICO (Information Commissioner’s Office) is no longer a supervisory authority under the EU GDPR, and cannot approve BCRs for transfers of personal data from the EEA to the UK.
Such BCRs, therefore, need to be approved by a supervisory authority within the EU.
UK organisations that make onward transfers of EU residents’ personal data to processors in the US
The EU–US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by the ECJ (European Court of Justice) on 16 July 2020 following legal action by the Austrian privacy campaigner Max Schrems.
On 18 June 2021, the EDPB (European Data Protection Board) issued a set of recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
These apply to organisations that transfer EU residents’ data to countries without adequacy decisions, such as the US.
International transfers of UK residents' personal data
The UK government has said it will recognise adequacy decisions made by the European Commission before the end of the Brexit transition period, but will keep this arrangement under review.
Potential penalties for non-compliance
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.
Get help with transitioning your current data protection processes
If you need guidance or advice on how Brexit affects your organisation’s data protection obligations, get in touch with one of our experts.
Call +44 (1474) 55 66 85 or request a call back using the form below.