The UK has now left the EU and the transition period for leaving ended on 1 January 2021; however, the EU-UK Trade and Cooperation Agreement (“Trade Agreement”) has extended the transition period for data protection requirements for up to six months (“Specified Period”). This article has been updated to account for the extension.

This blog considers what Brexit means for data protection, highlights some of the key changes to the General Data Protection Regulations (“GDPR”) following Brexit and suggests practical considerations for businesses that process personal data. The biggest impact will be felt by those who transfer data from the EEA into the UK as we will describe below.

The new legislation | GDPR and Brexit

There are two versions of the GDPR following 1 January 2021: the GDPR, which will continue to apply to those operating within the EU (“EU GDPR”), and the UK GDPR. Therefore, businesses that operate within both the UK and the EU will be subject to a dual regime and must consider their obligations under both sets of regulations.

As the UK diverges from the EU data controllers and data processors should be particularly alert to the fact that the UK GDPR will not automatically incorporate changes made to the EU GDPR after Brexit; these will need to be specifically incorporated by the UK, if they are incorporated at all.

The first port of call should be to consider whether your business processes personal data within the UK, the EU, or both, and consider the appropriate regulations. The most obvious changes will be to terminology in existing (and future) contracts; for example, where the GDPR was referred to should refer instead to the UK GDPR, references to the supervisory authority will become the Information Commissioner and those to member state law should become domestic law.

UK GDPR – know your responsibilities

There is little material difference between the UK GDPR and the EU GDPR in terms of the responsibilities of processors of personal data. The ICO has advised that the key principles, rights and obligations will remain the same as before so if you already comply with the current GDPR then the transition should not have much effect. The biggest impact will be felt by those who transfer data from the EEA into the UK.

Data transfers from the EU – is the UK adequate?

We had hoped that by the end of the transition period, the UK would be approved by the EU Commission as being ‘adequate’ in data protection terms. However, this has not yet happened. From the end of the transition period the UK’s reclassification as a ‘third country’ will take effect. This has important consequences for the transfer of personal data from the EEA into the UK. Transfers to third countries are only permitted in certain circumstances, the most important of which are where:

An adequacy decision means that the EC is satisfied that the third country has an adequate level of data protection and issues a formal decision to that effect. The effect of this is that no further safeguards are necessary for transfer of personal data from an EEA state to that country.

There has still been no adequacy decision made nor relevant codes agreed between the EU and the UK; the EU is in the process of conducting a data adequacy assessment of the UK. In order to be passed, the third country’s data protection standards must be ‘essentially equivalent’ to those of the EU. Such a decision in favour of the UK is not guaranteed, particularly following recent criticism by the CJEU of the UK’s Regulation of Investigatory Powers Act. Meanwhile, the UK Government has already stated that transfers from the UK to the EEA will be permitted.

Please also note that organisations operating in the EU will need to appoint an EU representative under Article 27 of the EU GDPR, and vice versa for EU companies operating in the UK.

For those businesses who operate with other third countries that have already been deemed adequate by the EU, eleven of those twelve countries have so far agreed to maintain unrestricted personal data flows to the UK (the exception being Andorra). There are no changes whatsoever to personal data transfers from the UK to any other country as the UK Government has decided to retain the adequacy decisions made by the EC.

The UK-EU Trade Agreement

The effect of the Trade Agreement is that personal data transfers from the EU and EEA to the UK can continue without additional safeguards during the Specified Period. This extended transition period is an initial four month period from 1 January 2021, which will be automatically extended by two months unless one of the parties objects or the EC makes an adequacy decision. If no adequacy decision has been reached by the end of the Specified Period, then appropriate safeguards must be in place for data transfers from the EU or EEA into the UK.

Safeguards in place of adequacy

Standard contractual clauses (“SCCs”) are the most common way to put in place safeguards to protect personal data transferred to third countries with no adequacy decision. This mechanism will usually be the best option for transfers of personal data from the EEA to the UK until the UK receives an adequacy decision. SCCs are terms and conditions that the transferor and receiver enter into in order to ensure that the transferor complies with its EU GDPR obligations. The ICO has been given the power to produce SCCs and has already made guidance and templates available which are aimed at micro, small and medium sized businesses: controller to processor; controller to controller.

Larger businesses that transfer personal data between group companies in different countries may instead decide to consider creating binding corporate rules (BCRs) for their intra-group transfers. They must apply to a data protection authority within the EU who will assess the BCRs to ensure that adequate safeguards for protecting the personal data are in place throughout the organisation.

Summary: GDPR and Brexit

Every business should review their UK GDPR obligations. The following summaries highlight the differences for cross-border personal data transfers.

  1. UK businesses only processing data within the UK with no transfers to or from other countries
    There is unlikely to be a change of obligations under the UK GDPR. Businesses should be able to continue as normal, but are advised to amend contracts to refer to the amended terminology.
  2. UK businesses sending data to the EU or any other approved ‘third country’
    Due to the existing EU adequacy decisions being retained by the UK, and the Government permitting transfers to the EEA, the situation is the same as for (1) above. The twelve third countries that have received adequacy decisions are as follows: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (for private sector organisations), Jersey, New Zealand, Switzerland and Uruguay.
  3. UK businesses processing data from the EU
    After the end of the Specified Period, which will not be earlier than 1 May 2021, appropriate safeguards must be in place if the EU has not reached an adequacy decision in favour of the UK. For most companies this will be via the use of SCCs.
  4. UK businesses sending data to a non-approved ‘third country’
    Businesses sending data from the UK to a third country other than the EU or one that is adequate (as listed in (2) above) must ensure that safeguards are in place. For most companies this will be via the use of SCCs.
  5. UK businesses processing data from a ‘third country’
    If the third country has agreed to maintain unrestricted flows of personal data, which all of the third countries listed in (2) above except Andorra have, then there is no change. From any other country, their national laws should be consulted.

If you would like to discuss this blog or any other commercial contract query, please contact a member of the Commercial team and we will be delighted to assist you.

SIGN UP to receive email notification when our dedicated Brexit hub is updated with the current legal position on Brexit and how it may affect your business.