Iubenda logo
Start generating

Documentation

Table of Contents

GDPR & Brexit – What it means for businesses and the impact on data protection

Brexit and GDPR
Update

Following a public consultation, the UK has released details of its proposed Data Reform Bill, which will alter the privacy framework in the UK’s post-Brexit version of the GDPR. Read about this proposed Bill here.

The Commission has allowed data flows from the EU to the UK, but it will be subject to a review in four years.

After the European Data Protection Board (EDPB) adopted an Opinion on the Commission’s Draft UK Adequacy Decisions and the Member States representatives gave their approval, both Decisions entered into force on the 28th of June 2021.

The decision under the General Data Protection Regulation (GDPR) and the decision under the Law Enforcement Directive both allow transfers from the EU to the UK, as the UK currently offers an essentially equivalent level of protection of personal data as guaranteed under EU law.

However, exceptionally, both decisions were also subject to a sunset clause, meaning that they will need to be renewed in four years.

For instance, the EDPB had underlined some possible divergences to be further assessed before the final decisions were made:

  • The Immigration Exemption and its consequences on restrictions on data subject rights;
  • The application of restrictions to transfers of personal data from the European Economic Area to the UK, on the basis of possible future adequacy decisions adopted by the UK, international agreements between the UK and third countries, or derogations.

=> Next steps: monitoring any future divergences between EU and UK Law, which could become a challenge to the next decisions, due in four years.

Read the full text here

The General Data Protection Regulation (GDPR) became enforceable May 2018 – strengthening data protection rights for all people whose personal information fall within its scope of application, and placing new requirements on businesses and entities that handle that personal data. Read more about the GDPR and when it applies here.

With all the changes set to occur as a result of the UK leaving the EU, you might be wondering how exactly does GDPR compliance change for UK and EU businesses after Brexit? We answer this question and more below.

GDPR after Brexit, does anything change?

The GDPR, which used to be binding law in the UK until Brexit took effect on Dec. 31st, 2020, is now, for the most part, still applicable in the UK as “UK GDPR” as long as no new national data protection act or legislation is passed.

What should I know as a UK-based business?

Data transfers to the EU and to other territories
Under the current UK GDPR data transfers from the UK to other countries follow the same principles of the GDPR. In particular:

  • if the UK Government has issued an adequacy regulation for your target territory, you may transfer data without further requirements. This status currently applies to all EU and EEA states andall countries covered by an EU adequacy decision (e.g. Argentina, Switzerland, New Zealand etc.), subject to conditions Japan and Canada;
  • if none of the above applies, as UK-based businesses wishing to transfer personal data abroad you will have to rely on the same alternatives given under the GDPR such as standard contractual clauses (SCCs), other “appropriate safeguards” or “exceptions”. In this regard, the UK data protection authority (ICO) has stated that EU SCCs entered into before the end of the transition period continue to be valid under the UK regime, and, that EU SCCs can still be used also for new transfers of personal data. UK versions of the EU SCCs have been published by the ICO and can be used by businesses.

💡 Using iubenda as a processor that transfers data to the EU is still perfectly safe for UK users.

Data protection representative
The GDPR (art. 27) requires entities that process personal data of natural persons in the EU to appoint a representative in the EU. During the transition period, this requirement does not yet apply to UK entities.

However, after the transition period expires, UK businesses processing data of natural persons in the EU will most likely have to appoint a EU representative.

How does Brexit affect me as a EU/EEA-based business?

Data transfers to the UK

The Brexit agreement struck by the EU and UK in December 2020 includes a transition period of 4 months expiring on April 30th, 2021, which could be extended by another 2 months: during that period, the UK will not be regarded as a “third country”.

→ Until then, nothing changes for EU/EEA businesses transferring data to the UK.

Once the transition period expires (i.e. not before Apr. 30th 2021), data transfers to the UK must take place according to the general GDPR principles, i.e.:

  • in case the European Commission should issue an adequacy decision for the UK, data transfers could take place without additional requirements;
  • in case no adequacy decision is issued before the end of the extended transition period, transfers of personal data from the EU/EEA states towards the UK will have to rely on appropriate safeguards such as standard contractual clauses approved by the European Commission (SCCs), or other “appropriate safeguards” or “exceptions” for transfer set forth in the GDPR.

Data protection representative

As of now, the UK-GDPR requires entities that process the personal data of natural persons in the UK to appoint a representative in the UK. Right now, during the transition period, this requirement does not yet apply to EU/EEA entities.

However, after the transition period expires, EU/EEA businesses processing data of natural persons in the UK will most likely have to appoint a UK representative.

Further reading

Find out more about all other minor and major changes that you’ll face as a UK-based business once the transition period expires on the ICO’s website.

About us

iubenda

GDPR compliance for your site, app and organization

www.iubenda.com

See also