Data Protection After Brexit
The Brexit transition period ended on 31 December 2020. For much of 2020, many doubted that a trade deal would be agreed between the UK and the EU before the transition period was over. On Christmas Eve, however, a deal was finally announced. Furthermore, from 1 January 2020, the UK GDPR took over from the EU GDPR with respect to personal data use in the UK.
For those businesses handling personal data, the prospect of a no-deal scenario was concerning, particularly for those dealing with personal data relating to individuals from the European Economic Area (the EEA). From 1 January 2021, the UK was to become a third country and, in the absence of an adequacy decision from the European Commission, it was likely that additional safeguards would be needed to keep personal data flowing from the EEA into the UK.
The EU-UK Trade and Cooperation Agreement included a data protection Christmas present, however. For a period of at least four months (and extendable to six months), restrictions on the transfer of personal data from the EEA to the UK have been delayed. This so-called “bridge” does come with conditions: the UK may not change its data protection laws or exercise “designated powers” – such as approving its own standard contractual clauses – without EU approval.
The ideal scenario now is that the European Commission makes an adequacy decision about the UK’s data protection laws before the end of the bridge period. If this happens, most of the data protection rules governing SMEs will stay the same.
The UK GDPR
The GDPR is retained in UK law thanks to the European Union (Withdrawal) Act 2018. Now known as the UK GDPR, it works alongside the Data Protection Act 2018 (as did the EU GDPR before it). There are some differences between the EU GDPR and the UK GDPR; however, these are predominantly contextual changes to make the law fit as a piece of domestic legislation. For example, references to a “supervisory authority” in the EU GDPR will instead be specific references to “the Commissioner” (i.e. the ICO) in the UK GDPR.
The good news for SMEs handling personal data is that the principles, rights, and obligations set out in the EU GDPR remain unchanged. In other words, if you were compliant with the GDPR before 31 December, you will be in good shape now under the UK GDPR.
UK Organisations With No Contacts or Customers in the EEA
If you have no contacts or customers in the EEA and were already compliant with the GDPR, as noted above, little has changed, and there is not much that you will need to do to remain compliant with the UK GDPR.
We have updated our range of Data Protection Documents in line with the UK GDPR . This includes checking and updating references to specific sections within the legislation as well as reviewing the general principles, rights, and obligations. See below for more detail.
Please note that our current range of data protection documents is designed for UK use only.
UK Businesses & Organisations Sending or Receiving Personal Data to or from the EEA
As explained above, the 4-6 month bridge in the Trade and Cooperation Agreement means that personal data flows from the EEA to the UK can continue for the moment. The UK Government has also said that transfers of personal data from the UK to the EEA can continue.
It is important to note that any business or organisation in the EEA that sends personal data to you will need to comply with EU data protection laws. Note also that personal data acquired from overseas before the end of the Brexit transition period (known as “legacy data”) will be subject to the EU GDPR as it was on 31 December 2020 (referred to as the “frozen GDPR”).
Please note that our current range of data protection documents is designed for UK use only.
UK Businesses & Organisations With an EEA Presence or EEA Customers
If you operate in the EEA, you will need to comply with both the UK and the EU’s data protection laws. The UK data protection regime (including the UK GDPR) will apply to your UK activities and any offices, branches, or similar that you have in the EEA will remain subject to EU law (including the EU GDPR).
If you are only based in the UK but offer your goods or services to individuals in the EEA, or monitor their behaviour, the EU data protection regime will continue to apply to these activities. You may also need to appoint a suitable representative in the EEA.
Personal data acquired from overseas before the end of the Brexit transition period (known as “legacy data”) will be subject to the EU GDPR as it was on 31 December 2020 (referred to as the “frozen GDPR”).
Please note that our current range of data protection documents is designed for UK use only.
UK Businesses & Organisations Sending or Receiving Personal Data to or from Third Countries
The rules governing the transfer of personal data to countries outside of the EEA are currently very similar to the pre-31 December position. EU adequacy decisions and approved safeguards (such as standard contractual clauses) that existed at the end of the transition period continue to be recognised by the UK government.
Personal data acquired from overseas before the end of the Brexit transition period (known as “legacy data”) will be subject to the EU GDPR as it was on 31 December 2020 (referred to as the “frozen GDPR”).
Please note that our current range of data protection documents is designed for UK use only.
Updates to Simply-Docs Data Protection Documents
Our range of Data Protection Documents has been updated in line with the UK GDPR. Each of our data protection templates has been reviewed and (where necessary) updated. This has included checking pre-existing specific EU GDPR references against the UK GDPR as well as reviewing the core principles, rights, and obligations within the legislation.
As with most content available from Simply-Docs, our data protection content is designed for use only within the UK . The pan-EU nature of the GDPR meant that, previously, documents written for GDPR compliance had the potential for broader application. It is important to note that, post-Brexit, this will not necessarily be the case. While it is true that the principles, obligations, and rights contained in the UK GDPR match the EU GDPR, future divergence is possible. As noted in the sections above, activities involving personal data in Europe remain subject to European legislation.
If you need to comply with the EU GDPR or any other non-UK legislation, please note that our documents will not be suitable. As of 1 January 2021, our data protection documents cover UK law only, unless we clearly state otherwise.
Future Changes
The fact that the UK GDPR is, as near as makes no difference for small businesses, a carbon copy of the EU GDPR means that data protection compliance for SMEs in the UK should require little additional work for the time being, save for ensuring that policies, notices, and contractual clauses are kept up-to-date.
Furthermore, the data bridge period ushered in by the Trade and Cooperation Agreement and the potential for a seamless transition to an adequacy decision means that cross-border data flows can continue smoothly for now.
It is important to remember, however, that we have moved from one transitional period to another. When the bridge period ends – with or without an adequacy decision – the UK’s data protection regime is likely to start branching out on its own while also keeping closely aligned with the EU’s framework.
When we first began introducing new documents for the GDPR in 2018, we referred to them as “living documents” and that remains the case today. We will closely monitor developments in the UK’s data protection legislation and in guidance from the Information Commissioner and will be keeping our range of content under review.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.