Following a public consultation, the UK has released details of its proposed Data Reform Bill, which will alter the privacy framework in the UK’s post-Brexit version of the GDPR. Read about this proposed Bill here.
The Commission has allowed data flows from the EU to the UK, but it will be subject to a review in four years.
After the European Data Protection Board (EDPB) adopted an Opinion on the Commission’s Draft UK Adequacy Decisions and the Member States representatives gave their approval, both Decisions entered into force on the 28th of June 2021.
The decision under the General Data Protection Regulation (GDPR) and the decision under the Law Enforcement Directive both allow transfers from the EU to the UK, as the UK currently offers an essentially equivalent level of protection of personal data as guaranteed under EU law.
However, exceptionally, both decisions were also subject to a sunset clause, meaning that they will need to be renewed in four years.
For instance, the EDPB had underlined some possible divergences to be further assessed before the final decisions were made:
=> Next steps: monitoring any future divergences between EU and UK Law, which could become a challenge to the next decisions, due in four years.
The General Data Protection Regulation (GDPR) became enforceable May 2018 – strengthening data protection rights for all people whose personal information fall within its scope of application, and placing new requirements on businesses and entities that handle that personal data. Read more about the GDPR and when it applies here.
With all the changes set to occur as a result of the UK leaving the EU, you might be wondering how exactly does GDPR compliance change for UK and EU businesses after Brexit? We answer this question and more below.
The GDPR, which used to be binding law in the UK until Brexit took effect on Dec. 31st, 2020, is now, for the most part, still applicable in the UK as “UK GDPR” as long as no new national data protection act or legislation is passed.
Data transfers to the EU and to other territories
Under the current UK GDPR data transfers from the UK to other countries follow the same principles of the GDPR. In particular:
💡 Using iubenda as a processor that transfers data to the EU is still perfectly safe for UK users.
Data protection representative
The GDPR (art. 27) requires entities that process personal data of natural persons in the EU to appoint a representative in the EU. During the transition period, this requirement does not yet apply to UK entities.
However, after the transition period expires, UK businesses processing data of natural persons in the EU will most likely have to appoint a EU representative.
Data transfers to the UK
The Brexit agreement struck by the EU and UK in December 2020 includes a transition period of 4 months expiring on April 30th, 2021, which could be extended by another 2 months: during that period, the UK will not be regarded as a “third country”.
→ Until then, nothing changes for EU/EEA businesses transferring data to the UK.
Once the transition period expires (i.e. not before Apr. 30th 2021), data transfers to the UK must take place according to the general GDPR principles, i.e.:
Data protection representative
As of now, the UK-GDPR requires entities that process the personal data of natural persons in the UK to appoint a representative in the UK. Right now, during the transition period, this requirement does not yet apply to EU/EEA entities.
However, after the transition period expires, EU/EEA businesses processing data of natural persons in the UK will most likely have to appoint a UK representative.
Find out more about all other minor and major changes that you’ll face as a UK-based business once the transition period expires on the ICO’s website.