Data protection and Brexit

How the UK’s withdrawal from the EU will affect the EU GDPR, the UK DPA 2018 and the applied GDPR

Brexit and data protection in the UK

Last updated: 5 February 2020

Brexit is now underway. Under the terms of the European Union (Withdrawal Agreement) Act 2020, the UK is now in a transition period until 31 December 2020 to allow it to negotiate its future relationship with the European Union – although it is still possible for this deadline to be extended.

No trade deal of this size and complexity has ever been agreed between the EU and a third country in such a short time, so the risk of the UK’s trade relationship with the EU defaulting to WTO (World Trade Organization) terms – effectively a no-deal Brexit – still exists.

During the transition period, EU laws, including the EU GDPR (General Data Protection Regulation), will continue to apply in the UK.

This page explains how Brexit will affect data protection in the UK, including international transfers of personal data after the transition period.

It will be updated as and when new information becomes available.

For comprehensive guidance and practical advice on complying with the GDPR, read our bestselling EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide, Third edition.

Data protection law in the UK before 31 December 2020

UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018.

Both laws continue to apply until the end of the transition period.

Learn more about GDPR compliance

Data protection law after 31 December 2020: will the GDPR apply in the UK after Brexit?

The EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020). However, UK organisations must still comply with its requirements after this point.

First, the DPA 2018 enacts the EU GDPR’s requirements in UK law. Second, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.

This new regime will be known as ‘the UK GDPR’.

There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the requirements of the EU GDPR.

The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.

Post-Brexit international data transfers

As a non-EEA member, the UK will be classified as a ‘third country’ from the end of the transition period.

Under Chapter V of the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations (and onward) is permitted only in certain circumstances:

  • If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
  • If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
  • On the basis of approved codes of conduct, such as the EU-US Privacy Shield. (No such code has been agreed for transfers from the EEA to the UK yet.)

Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.

How does Brexit affect international data transfers?

Now that it is no longer an EU member state, the UK has been reclassified as a ‘third country’. This shouldn’t make any difference to UK organisations until the end of the transition period.

Under the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:

  • If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
  • If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
  • Based on approved codes of conduct, such as the EU-US Privacy Shield. (No such code has been agreed for transfers from the EEA to the UK yet.)

Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.

Adequacy decisions

To date, the Commission has adopted 13 adequacy decisions:

  • Andorra
  • Argentina
  • Canada
  • The Faroe Islands
  • Guernsey
  • Israel
  • The Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay
  • United States (for companies certified under the EU-US Privacy Shield)

Talks with South Korea are ongoing.

Both the UK and EU hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years.

Binding corporate rules and standard contractual clauses

If an adequacy decision is not reached by 31 December 2020, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.

It is important to note that, after the UK leaves the EU, the ICO (Information Commissioner’s Office) will no longer be a supervisory authority under the EU GDPR, and will not be able to approve BCRs for transfers of personal data from the EEA to the UK.

Such BCRs will, therefore, need to be approved by a supervisory authority within the EU 27.

Potential penalties for non-compliance

Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.

Prudent organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.

Transfers of UK personal data to the US

As to transfers of UK personal data to the US, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 makes provision to preserve the effect of the EU-US Privacy Shield in the UK.

US organisations that participate in the Privacy Shield will have to update their “public commitment to comply with the Privacy Shield to include the UK”.

We will update this page with further information once the nature of the UK’s future relationship with the EU becomes clearer.

The US Department of Commerce has published guidance for US Privacy Shield organisations on how personal data can continue to flow from the UK to the US in a no-deal scenario, including the model language to use in their updated statements.

Last updated: 5 February 2020

Speak to a data protection expert

If you need guidance or advice on how Brexit will affect your organisation’s data protection obligations, get in touch with one of our experts. Call 01474556685 or request a call back using the form below.

Contact us

This website uses cookies. View our cookie policy
20% OFF TRAINING