data-protection-privacy /  
Data protection and Brexit – what’s next?
10th Dec 2020
Data protection and Brexit – what’s next? - Linkilaw Solicitors
Linkilaw Solicitors
Book a call
One of our dedicated team will be happy to discuss your needs.

The United Kingdom left the EU as of 31 January 2020 and entered into a transition period which ended on the 31st December 2020. During this transition period, the UK was subject to EU rules.

On 24 December 2020, The UK entered a trade deal with the EU which came into force on 01 January 2021 and it includes provisions on a wide range of subjects, including data protection.

What are the Brexit implications on data protection?

UK businesses have taken extensive steps to ensure compliance with the General Data Protection Regulations (GDPR) that came into force across Europe in 2018.  The Information Commissioner’s Office (ICO) who regulates UK businesses in terms of data protection had confirmed that even at the expiry of the transition period, the GDPR will continue to apply to the UK and it will be transposed into UK law under the EU Withdrawal Agreement and the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations.

As of 1 January 2021, the UK GDPR is replacing the existing EU GDPR. The UK GDPR is the same as existing GDPR in all material aspects, the differences simply reflect the amendments required to make it work in a UK only context. All the main principles, obligations and rights remain in place. The existing EU GDPR will continue to apply, unchanged, in the countries of the EEA.

Although the UK is now outside the EU, transfers of personal data from the UK to the EU are not restricted and can continue after the transition period without additional measures being put in place. This is because the EEA states will be deemed by the UK to have an adequate level of data protection.

The EU Exit Regulations lay out provisional arrangements so that UK adequacy regulations include the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions valid as of 31 December 2020. The UK intends to review these adequacy regulations over time. A decision is yet to be made in relation to transfers of personal data from the EEA to the UK.

Man working - data protection and Brexit

As part of the trade deal, the EU has agreed to delay transfer restrictions for four to six months (known as the bridge). This means that data can flow freely from the EEA as before. The conditions which are most likely to be relevant are in relation to whether the UK has “appropriate safeguards” in place for data protection transfers and an “adequacy decision” needs to be made in relation to the same.  An “adequacy decision” would mean that data transfer could continue without additional measures.

It is currently unclear if or when such “adequacy decision” will be made so especially in the case of large-scale processing or processing of sensitive personal data which will continue into 2021 it is prudent to put “appropriate safeguards” in place now.

One way of doing this is through contracts now through the use of standard contractual clauses (SCCs)

SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both agree to. They include obligations which act as safeguards to help to protect personal data when it leaves the EEA and the protection of GDPR.

The ICO has published various online interactive tools to help businesses assess whether entering into SCCs now is the appropriate course of action and also provides template clauses and agreements which can be used should this be found to be necessary.

Large multinational businesses may be able to rely on existing EEA-approved binding corporate rules to make transfers between their businesses based in and outside of the UK.

Next steps:

Carry out an internal data audit to check how data flows in and out of your business and across what countries.  You will need to consider if the countries you are receiving from or sending data to is covered by an adequacy decision or what other safeguards may be appropriate to put in place.

If your organisation:

  • processes data in the EEA and the UK;
  • is UK based but offers goods or services or targets individuals in the EEA;
  • is EEA based but offers goods or services or targets individuals in the UK;

you are now subject to both the EU GDPR and the UK GDPR.

You may need to:

  • appoint an EU Representative, or a UK Representative;
  • consider which EEA or EU supervisory authority is now your lead authority.

It is also sensible to review and update your privacy policy in light of any data flows that affect your business as a result of Brexit.

Should you wish for one of our data protection and privacy lawyers to help with reviewing and updating your data protection processes and policies in light of Brexit, do not hesitate to get in touch.

Our legal commentary is not intended to be a comprehensive review of all developments in the law and practice. Please seek legal advice before applying it to specific issues or transactions.

Linkilaw Solicitors
Book a call
One of our dedicated team will be happy to discuss your needs.

Get in touch

Book a call
One of our dedicated team members will be happy to discuss your needs.
Send us a message
We will review your enquiry and get back to you as soon as possible.