Data protection now the UK has left the EU: January 2021 update
Following the UK’s departure from the European Union, ICAEW Insights has the latest on how this affects the sensitive issue of data protection.
- The General Data Protection Regulation (GDPR) has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, but with some technical amendments to ensure it can function in UK law.
- The Information Commissioner remains the UK’s independent supervisory authority on data protection.
- The UK is now deemed a ‘third country’ by the EU and so will require an adequacy decision to continue personal data transfers from the EU/EEA. However, the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months.
- Transfers of personal data from the UK can continue as before.
Implications for UK organisations
- Receiving personal data from the EU/EEA.
- For the duration of the bridging mechanism, you can continue to receive personal data from the EU/EEA, but you should work with any EU/EEA organisations that transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU-to-UK personal data.
- For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs). The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.
- 11 of the 12 third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK.
- Further information can be found on the ICO’s website.
- Transferring personal data from the UK:
- There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU.
- For international data transfers from the UK to other jurisdictions, further information can be found on the ICO’s website.
- Holding ‘legacy’ data ie the personal data of individuals based outside the UK (whether in the EEA or not) which is processed in the UK but acquired before 31 December 2020:
- Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect.
- Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
- Please monitor the ICO’s website for further guidance.
- Appointing EU-based representatives
- Some UK data controllers and processors may also need to appoint EU-based representatives if they do not have an office, branch or other establishment in the EEA but offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA.
- See the ICO website (here) for full details of when this may apply.
- Updating documentation
- Any references to EU law, UK-EU transfers and your EU representative (if you need one) will need to be updated in your privacy notices, DPIAs and other documentation.
- See ICAEW's guidance on Privacy Notices.
- See the ICO’s guidance.