Brexit and data protection in the UK
The Brexit transition period ended on 31 December 2020. UK organisations that process personal data must now comply with:
- The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offer goods and services to, or monitor the behaviour of, EU residents.
Learn more about complying with the DPA 2018 and UK GDPR.
Free PDF download: Brexit Checklist
Download our free checklist to track the key actions your organisation needs to take to ensure your data processing activities remain safe
Data protection law after 31 December 2020: does the GDPR apply in the UK after Brexit?
No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31 December 2020.
However the UK's DPA 2018 has already enacted the EU GDPR’s requirements into UK law, and with effect from 1 January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018 and merged it with the requirements of the EU GDPR to form a new, UK specific data protection regime that works in a UK context after Brexit as part of the DPA 2018.
This new regime is known as ‘the UK GDPR’.
UK organisations need to amend their GDPR documentation to align it with the requirements of the UK GDPR. In particular, Article 30 records, privacy notices, DPIAs (data protection impact assessments), DSARs (data subject access requests) and documentation covering international data flows must all reflect the UK’s independent jurisdiction and the specific scope and wording of the UK GDPR.
Any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will also have to comply with the EU GDPR, and will reflect this in its process documentation.
Learn more about complying with the DPA 2018 and UK GDPR
How we can ensure your transition runs smoothly
IT Governance can help you easily transition your current policies and procedures in line with new legislation while minimising business disruption. Our data privacy experts will guide you step by step to ensure you remain compliant.
Find out the practical implications of the key changes and what they mean for your business with this half-day training course.
Get a detailed review of your organisation’s current processes and documentation and easily identify any gaps.
Appoint an EU representative to meet your Article 27 obligations and enable EU data subjects and supervisory authorities to contact your organisation if it is not based in the EU.
Establish your level of compliance with the EU GDPR’s strict rules on international transfers, and receive a practical, step-by-step action plan to resolve any issues
Do you still process EU residents’ personal data?
If you are a UK organisation now bound by UK GDPR, you will also be bound by the EU GDPR. In addition, you may now need to:
- Appoint an EU representative;
- Identify a lead supervisory authority in the EU;
- Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
- Update your policies, procedures and other documentation in light of the these changes.
The EU GDPR’s requirements as originally implemented by Parts 3 and 4 of the DPA 2018 continue to apply – but no longer within the EU’s jurisdiction - for law enforcement and intelligence purposes.
Learn more about complying with the EU GDPR
How does Brexit affect international data transfers?
Now the Brexit transition period has ended, the UK is a ‘third country’ – the name given to all countries outside the EEA (EU member states, plus Iceland, Liechtenstein and Norway).
International transfers of personal data from the EU to the UK
Under the EU GDPR, international transfers are permitted only in certain circumstances:
- If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
- If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
- Based on approved codes of conduct. (No such code has been agreed for transfers from the EEA to the UK yet).
These mechanisms are explained below.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.
The UK-EU TCA (Trade and Cooperation Agreement) allows for the continued free flow of personal data from the EU to the UK for a maximum of six months after the end of the transition period (31 December 2021).
This enables UK organisations to continue to freely receive data from the EEA (EU member states, plus Iceland, Liechtenstein and Norway) without the need for further action.
The UK hopes the European Commission will then issue an adequacy decision in relation to the UK so that personal data can continue to flow freely beyond this six-month period.
To date, the European Commission has adopted 12 adequacy decisions:
- The Faroe Islands
- The Isle of Man
- New Zealand
Talks with South Korea are ongoing.
If the UK does not receive an adequacy decision by the end of the six-month period introduced by the UK-EU TCA, UK organisations will have to use alternative mechanisms, such as SCCs or BCRs, to transfer EU residents’ personal data.
The ICO therefore recommends that UK organisations implement alternative transfer mechanisms now to safeguard against potential interruptions to the free flow of personal data.
Binding corporate rules and standard contractual clauses
In the absence of an EU adequacy decision, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.
SCCs can be found on the European Commission’s website
It is important to note that, now the UK has left the EU, the ICO (Information Commissioner’s Office) is no longer a supervisory authority under the EU GDPR, and cannot approve BCRs for transfers of personal data from the EEA to the UK.
Such BCRs, therefore, need to be approved by a supervisory authority within the EU.
UK organisations that make onward transfers of EU residents’ personal data to processors in the US
The EU–US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by the ECJ (European Court of Justice) on 16 July 2020 following legal action by the Austrian privacy campaigner Max Schrems.
In November 2020, the EDPB (European Data Protection Board) published its recommendations on supplementary measures to ensure compliance with the EU’s level of protection of personal data, which EU data controllers that use US data processors, and US processors that process the personal data of EU residents, should take into account when making such transfers.
International transfers of personal data from the UK
This enables UK organisations to continue to freely receive data from the EEA (EU member states, plus Iceland, Liechtenstein and Norway) without the need for further action. Note that the EU GDPR's other requirements, such as for EU representatives, are unaffected by this temporary arrangement.
Potential penalties for non-compliance
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.
Organisations that process EU residents’ personal data should therefore put measures in place immediately to ensure they comply with the law after 31 December 2020.
Get help with transitioning your current data protection processes
If you need guidance or advice on how Brexit affects your organisation’s data protection obligations, get in touch with one of our experts.
Call +44 (1474) 55 66 85 or request a call back using the form below.