In May 2018, the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 came into force.
Embedded in the EU Digital Single Market Strategy, the GDPR regulates the handling of personal data of individuals (so-called data subjects) by e.g. companies or other entities engaged in economic activity. The GDPR enables individuals to wield control over their personal data handled in such economic activity.
The GDPR has been adopted by the three countries (Iceland, Norway, Liechtenstein) that together with the EU form the European Economic Area (EEA). As a result, the GDPR applies to economic activity within the EEA.
The United Kingdom (UK) has ceased to be a member of the EU after withdrawal on 31 January 2020. During the transition period (aka implementation period) the UK remains a member of the EEA. This means that for the time being, the GDPR continues to apply.
The UK government has, however, kept its promise of taking back control and has rejected future regulatory alignment with the EU’s Internal Market rules. The intended non-alignment means that the UK will leave the EEA at the end of the transition period on 31 December 2020. As a consequence, from 1 January 2021, the UK will be a third country within the meaning of the GDPR and the transfer of personal data to the UK will by default be subject to restrictions.
For a company based in the UK to be able to receive personal data from within the EEA, it will have to provide appropriate safeguards ensuring compliance with data protection requirements and the rights of the data subjects set out in the GDPR. Providing appropriate safeguards, for instance by adding provisions about the transfer of personal data to a data privacy policy, requires additional effort by companies.
There is a way out of this situation. The EU can formally declare the UK’s data protection regulation as offering an adequate level of data protection and thus exempt UK companies from providing the appropriate safeguards in order to receive personal data from the EEA.
The European Commission has committed to an adequacy assessment of the UK’s level of data protection but has so far not taken any decision. For the foreseeable future companies therefore have to bear the burden of providing safeguards.
Should you require a review of you data privacy policies in the light of Brexit or have any further questions regarding transfers of personal data to the UK post-Brexit, please do not hesitate to get in touch.