The UK left the European Union on 31 January 2020 and entered a Brexit transition period, which runs until the end of December 2020. During this transition period, the General Data Protection Regulation (GDPR) will continue to apply in the UK and UK businesses should continue to follow existing guidance on it.
What happens at the end of the transition period?
We do not know yet what the data protection landscape will look like at the end of the transition period. If the UK leaves the EU without a deal, most of the data protection rules will stay the same, but there may be further developments on certain issues, such as how UK-EU data transfers are dealt with.
Will the GDPR still apply when we leave the EU?
When the UK leaves the EU at the end of the transition period, the GDPR, in principle, will no longer apply. However, businesses in the UK will need to comply with UK data protection law i.e. the Data Protection Act 2018 (DPA 2018), and as the Government intends to incorporate the provisions of the GPDR into the DPA 2018 from the end of the transition period, there will be little change to the core data protection principles found in the GDPR.
The GDPR will also directly apply to any UK business who targets European customers, operates inside the European Economic Area (EEA), or otherwise receives data from organizations based in the EEA.
Will UK businesses still be able to send and receive data to and from Europe?
The UK Information Commissioner’s Office (ICO) has always stressed the importance of having as much consistency in data protection laws on an international basis as possible because so many businesses operate across borders. However, what happens at the end of the transition period in relation to data transfers will depend on negotiations during that period.
The UK Government has said that transfers of data from the UK to EEA will not be restricted. UK businesses will therefore be able to continue to transfer data from the UK to the EEA lawfully under UK adequacy regulations, provided their documentation and privacy notices have been updated to expressly cover those transfers.
The position is slightly different for data transfers from the EEA into the UK. If the UK leaves the EU without a deal, then the UK will become a third country for data protection purposes. This will mean that data transfers from the EEA into the UK will be restricted unless the transfer is covered by an adequacy decision, an appropriate safeguard or an exception.
For most businesses, this will mean putting in place EU-approved terms, known as standard contractual clauses (SCCs) between the sender and receiver of personal data as an appropriate safeguard governing the transfer. However, businesses should note that the validity of SCCs is currently being challenged in Schrems II (please see case update here).
How should businesses prepare?
UK businesses are advised to look at what they are doing now and to identify whether they are likely to be involved in any international transfers of personal data after the transition period. In particular, businesses should look to identify and document:
- Any transfers made by it from one country to another;
- The volume and type of data being transferred (particular attention should be given to transfers which involve large volumes of data, include special categories of data, or which are business-critical);
- Whether the transfers are inside or outside the EEA (in relation to data originating in the EEA);
- What legal basis is being relied on for the transfers; and
- What appropriate safeguards are in place (or can be put in place) to govern the transfer.