Data protection guidelines in the wake of Brexit for the UK and EU

Data protection guidelines in the wake of Brexit for the UK and EU

As we bid farewell to 2020, a significant change swept across the UK's data protection landscape. At 23:00 on 31 December, the Brexit transition period ended, and a new UK data protection regime came into effect. This new regime, known as the UK General Data Protection Regulation (UK GDPR), is a modified version of the EU GDPR, tailored to suit the UK context.

The EU GDPR and the Data Protection Act 2018

Before the turn of the year, the primary data protection laws that applied in the UK were the EU GDPR and the Data Protection Act 2018 (DPA 2018). The 2018 Act replaced the older Data Protection Act 1998 and was designed to complement the EU GDPR requirements within the UK legal framework.

The EU GDPR, effective from 25 May 2018 across the EU including the UK, set comprehensive rules on how personal data must be processed, ensuring privacy and data protection rights for individuals. The DPA 2018 implemented and supplemented these principles in the UK, adapting certain areas where the EU GDPR allowed member states to legislate differently. Additionally, the Privacy and Electronic Communications Regulations 2003 (PECR) governed electronic communications such as marketing calls, emails, and the use of cookies and tracking technologies.

The UK GDPR and the Interim Solution

After Brexit, the UK implemented its own version of the GDPR as the UK GDPR, which replicates much of the EU GDPR framework but as a domestic UK law. Under the Brexit Withdrawal Agreement, the EU GDPR as in force on 31 December 2020 will continue to apply to certain legacy data for so long as the UK does not benefit from an "adequacy" decision from the EU.

In the interim, the UK has deemed EU member states to be adequate for data flows from the UK without additional mechanisms. Conversely, under the interim solution, no additional transfer mechanisms are required for data transfers from the EU to the UK, but the UK must preserve its existing data protection regime.

Preparing for the UK GDPR

Organisations should take practical steps to prepare for the UK GDPR. This includes mapping data flows, updating records of processing, re-evaluating lead supervisory authorities, appointing representatives, updating privacy notices, amending contracts, and considering whether Data Protection Impact Assessments (DPIAs) and Legal Impact Assessments (LIAs) need to be updated.

The Information Commissioner's Office (ICO) recommends that businesses work with EU and EEA organisations to put in place alternative transfer mechanisms. The EU-UK Trade and Cooperation Agreement includes a joint political declaration stating that the EU will undertake an adequacy assessment for the UK, determining if the UK offers an adequate level of data protection for transfers from the EU.

Compliance and Regulatory Burden

Care is required to evaluate and apply the EU and UK regimes in a way which is both compliant and minimises the ongoing regulatory burden. Some businesses may need to comply with both the new UK regime (UK GDPR, UK DPA, and PECR) and the EU GDPR, depending on their activities in the EU and UK.

It is crucial to note that the UK Supreme Court and the Court of Appeal can choose to depart from Court of Justice of the European Union (CJEU) decisions. CJEU case law as at the end of the transition period forms part of UK domestic law and will remain binding on UK domestic courts.

Transfers to Other Countries

Transfers from the UK to other countries, including those under the current European Commission adequacy decisions, can continue. The UK can use existing EU versions of standard contractual clauses for ex-UK transfers, with limited changes needed to reflect the UK's withdrawal from the EU.

In summary, the UK's data protection landscape has undergone a significant transformation. Organisations must adapt to the new UK GDPR and the interim solution for data transfers from the EU to the UK. Compliance with both the new UK regime and the EU GDPR, where applicable, is essential to ensure ongoing data protection and privacy rights for individuals.

1. Technology can play a crucial role in helping organisations prepare for the UK GDPR by using data mapping tools to identify and map data flows efficiently, thus minimizing the regulatory burden.
2. In the realm of education-and-self-development, understanding the implications of the UK GDPR and the interim solution for data transfers from the EU to the UK is essential for professionals working in the fields of data protection, compliance, and privacy, as it equips them with the knowledge necessary to safeguard individuals' data protection and privacy rights in this transforming landscape.

Read also: