Brexit and data protection in the UK
The Brexit transition period ended on 31 December 2020. UK organisations that process personal data must now comply with:
- The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offers goods and services to, or monitor the behaviour of, EU residents.
Learn more about complying with the DPA 2018 and UK GDPR.
Free green paper: Brexit and Data Protection
Download our free green paper “Brexit and Data Protection: A quick overview of the UK GDPR” to learn more about the UK GDPR, how it differs from the EU GDPR, and what you need to do to ensure your data processing remains in compliance with the law after Brexit.
Do you still process EU residents’ personal data?
If you are a UK organisation bound by the EU GDPR, from 1 January 2021 you may need to:
- Appoint an EU representative;
- Identify a lead supervisory authority in the EU;
- Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
- Update your policies, procedures and other documentation in light of the changes you make.
Learn more about complying with the EU GDPR
New data protection rules
IT Governance can help you easily amend your current policies and procedures to ensure they remain compliant with the law now the Brexit transition period has ended.
Data protection law after 31 December 2020: will the GDPR apply in the UK after Brexit?
Although the EU GDPR itself no longer applies to UK residents’ personal data, UK organisations must still comply with its requirements after this point.
First, the DPA 2018 already enacts the EU GDPR’s requirements in UK law.
Second, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that works in a UK context after Brexit alongside the DPA 2018.
This new regime is known as ‘the UK GDPR’.
There is very little material difference between the EU GDPR and the UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR’s requirements.
Learn more about complying with the DPA 2018 and UK GDPR
The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 continue to apply for law enforcement and intelligence purposes.
Third, any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will have to comply with the EU GDPR, and will have to make some changes to their data processing activities.
Learn more about complying with the EU GDPR
How does Brexit affect international data transfers?
Now the Brexit transition period has ended, the UK is a ‘third country’ – the name given to all countries outside the EEA (EU member states, plus Iceland, Liechtenstein and Norway).
Any transfers of personal data from the EEA to the UK and vice versa now count as international transfers rather than cross-border transfers.
International transfers of personal data from the EU to the UK
Under the EU GDPR, international transfers are permitted only in certain circumstances:
- If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
- If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
- Based on approved codes of conduct. No such code has been agreed for transfers from the EEA to the UK yet.
These mechanisms are explained below.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.
To date, the European Commission has adopted 12 adequacy decisions:
- The Faroe Islands
- The Isle of Man
- New Zealand
Talks with South Korea are ongoing.
The UK is seeking an adequacy decision, but until one is in place UK organisations are advised to use SCCs to transfer EU residents’ personal data.
Binding corporate rules and standard contractual clauses
In the absence of an EU adequacy decision, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.
SCCs can be found on the European Commission’s website
It is important to note that, now the UK has left the EU, the ICO (Information Commissioner’s Office) is no longer a supervisory authority under the EU GDPR, and cannot approve BCRs for transfers of personal data from the EEA to the UK.
Such BCRs, therefore, need to be approved by a supervisory authority within the EU.
UK organisations that make onward transfers of EU residents’ personal data to processors in the US
The EU–US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by the ECJ (European Court of Justice) on 16 July 2020 following legal action by the Austrian privacy campaigner Max Schrems.
In November 2020, the EDPB published its recommendations on supplementary measures to ensure compliance with the EU’s level of protection of personal data, which EU data controllers that use US data processors, and US processors that process the personal data of EU residents, should take into account when making such transfers.
International transfers of personal data from the UK
The UK government has said it will recognise adequacy decisions made by the European Commission before the end of the transition period, but will keep this arrangement under review.
Potential penalties for non-compliance
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.
Organisations that process EU residents’ personal data should therefore put measures in place immediately to ensure they comply with the law after 31 December 2020.
Speak to a data protection expert
If you need guidance or advice on how Brexit affects your organisation’s data protection obligations, get in touch with one of our experts.
Call +44 (1474) 55 66 85 or request a call back using the form below.
IT Governance products and services
We have everything you need to ensure you remain compliant with data protection law now the Brexit transition period has ended, including: