Now that the UK has left the EU, it is no longer governed by the European General Data Protection Regulation (GDPR). Many businesses will have questions around GDPR and Brexit now that the transition period has ended.
To replace GDPR after Brexit, the UK has introduced their own data protection regulations, the United Kingdom General Data Protection Regulation (UK-GDPR). This took effect from 31 January 2020.
What is GDPR?
GDPR was introduced by the European Union in May 2018 and regulates the way organisations collect, store and use the personal data of any EU citizen. Europe’s data privacy and security law is one of the strictest in the world, taking a hard line on the protection of personal data in the fast-paced digital age.
Many businesses – particularly SMEs – have felt daunted by GDPR regulations as they strive to ensure they are compliant. Now, in the wake of Brexit, businesses must also take into account UK-GDPR when dealing with personal data of UK citizens.
How has GDPR changed after Brexit?
Following Brexit, the principles of European GDPR have been incorporated into UK law to become what is now known as UK-GDPR. This means that in practice very little has changed from the original rights and responsibilities of the original GDPR.
The core messages of the UK-GDPR remain the same, meaning that you must:
Besides the main elements, the wording of the UK GDPR differs slightly from the EU GDPR, in particularly around national security, intelligence services and immigration. The British government has published a Keeling Schedule to highlight any changes made over time, and businesses can refer to this to ensure they are aware of any amendments that may affect them.
Do UK businesses still need to comply with EU GDPR?
For businesses operating in the European Economic Area (EEA) or offering goods or services to EU residents, you will still need to comply with EU GDPR, since it governs the processing of any personal data of EU residents. Likewise the UK GDPR will from now on govern any use of personal data of UK citizens.
If you are continuing to process EU residents’ personal data, you may need to engage an EU representative to function as the local contact for EU authorities or data subjects, in order to resolve any issues around the processing of data.
A six month extension on data transfers
Since Brexit, the EU now considers the UK as a third country in regards to GDPR, meaning there may be certain restrictions placed on the transfer of data between the EU and the UK unless the EU deems the UK’s GDPR to be “adequate”.
It was announced on 31 December 2020 that GDPR will remain applicable in the UK for 6 months following the end of the Brexit transition period – that is, until 1 July 2021. During this 6 month “bridge”, data can continue to be transferred between the UK and the EU without additional restrictions, whilst the EU come to a decision.
After the end of the bridge, the EU Commission may or may not grant the UK adequacy. If they do adopt an adequacy decision, personal data will continue to be allowed to be shared between the UK and EU following the end of this 6 month “bridge”.
If the EU does not grant the UK adequacy, GDPR will continue to apply to certain “legacy” personal data, transferred before the end of the transition period. However, any new data sharing will need to comply with new guidelines.
What to UK businesses need to do to comply with UK GDPR after Brexit?
Businesses may be understandably worried about GDPR and Brexit. But there are a few steps your business can take to ensure you can continue to operate without disruption to your business practices:
The contents of this article do not constitute legal advice and are provided for general information purposes only.
The contents of this article do not constitute legal advice and are provided for general information purposes only.
The Legal Stop serves businesses and individuals alike, providing online legal documents and fixed fee legal services. We aim to make our legal services accessible and transparent, offering relevant, practical solutions for all.
Find out more about our services:
Expertise: Legal Editor
Catherine is our legal editor, she writes website and blog content for a range of industries including legal, business and retail. Having graduated from Exeter University with a degree in French and Spanish, Catherine spent some time working abroad before returning to Devon. She now juggles a writing career that she loves with bringing up two young children and exploring the Devon and Cornish coastline.