When Brexit came into effect on January 1, 2021, it also affected the protection and transfer of data between the UK and the EU. If up until the end of 2020, data protection within the UK was regulated by the European Union’s General Data Protection Regulation (GDPR), then as of this year, adhering to the regulation is no longer mandatory for the UK.
The UK now falls under the definition of a third country per the GDPR, similar to, for example, Japan or Canada, and must adhere to chapter 5 of the GDPR, which covers transfers of personal data to third countries and international organisations. More specifically, the chapter states that any personal data that is intended for processing can only be transferred if the controller and the processor comply with all of the necessary conditions laid down for this. For example, one of these conditions decrees that a data subject must be informed when their data is transferred outside of the EU – this is important, for example, if a UK company processes data they have received from the EU.
The EU-UK Trade and Cooperation Agreement, which only touches very briefly on data protection, leaves room for a six-month transition period (until July 1, 2021). During this time, data can be transferred between the two unions in the same way as before Brexit. But it comes with a clause, which states that the UK cannot change any of its data protection legislation during the transition period. If the UK should decide to do so nonetheless, then all changes must be approved by the EU-UK Partnership Council. If the UK decides to pass new legislation without the approval, then the transition period will end immediately. However, the likelihood of this happening is very low and for the next six months, most probably, everything will continue to work as it has since the GDPR first came into effect.
The UK should have no issues with following the GDPR since the UK was actively involved in the development of the GDPR as a member of the EU. Additionally, the main principles of the GDPR are already incorporated into the UK’s Data Protection Act 2018 and local organisations have had to follow these for many years now.
The adequacy of data protection in the UK
If the UK’s level of data protection is essentially equal to that of the EU and meets certain criteria, then the European Commission may adopt an adequacy decision that confirms this level. A decision like this would allow the UK to transfer personal data without any new restrictions. If such a decision is made, then it will probably be made prior to July 1, 2021. However, companies should keep in mind that if an adequacy decision is not adopted by the EU, then you may have to help your partners in the EU decide how to transfer personal data to the UK in the future.
Data that has been transferred to the UK before the Brexit transition period or according to the Withdrawal Agreement after the transition period will continue to be processed in the UK according to the GDPR. In other words, you can expect nothing to change regarding that data.
Even now, after Brexit, UK organisations should still follow the GDPR when processing the personal data of EU citizens. You can read more about this topic on the GOV.UK service portal.