There are two versions of the General Data Protection Regulation (GDPR) since 1 January 2021: the GDPR that will continue to apply to those operating within the EU, and the UK GDPR. Businesses that operate within the UK and the EU must consider their obligations under both sets of regulations and may need to appoint an EU representative.
Data transfers from the EU
We had hoped that by the end of the transition period the UK would be approved by the European Commission as being ‘adequate’ in data protection terms. However, this didn’t happen and the UK has been reclassified as a ‘third country’. This has important consequences for the transfer of personal data from the EEA into the UK. Transfers from the EEA to third countries are only permitted in certain circumstances, the most important of which are where:
- the European Commission has issued an adequacy decision;
- appropriate safeguards are in place; or
- there are approved codes of conduct.
The UK government has stated that transfers from the UK to the EEA will continue to be permitted.
EU-UK Trade and Cooperation Agreement
The effect of the EU-UK Trade and Cooperation Agreement is that personal data transfers from the EU and EEA to the UK can continue without additional safeguards during the ‘specified period’, which is an extended transition period of four months from 1 January 2021. This will be automatically extended by two months unless one of the parties objects or the European Commission makes an adequacy decision. If no adequacy decision has been reached by the end of the specified period, then appropriate safeguards must be in place for data transfers from the EU or EEA into the UK.
Safeguards in place of adequacy
The EU Commission’s standard contractual clauses (SCCs) are the most common way to put in place safeguards to protect personal data transferred to third countries with no adequacy decision. This mechanism will usually be the best option for transfers of personal data from the EEA to the UK until it receives an adequacy decision.
Summary: GDPR and Brexit
UK businesses that are only processing data within the UK, with no transfers to or from other countries
There is no change of obligations under the UK GDPR. Businesses are able to continue as normal, but are advised to change contracts to refer to the amended terminology.
UK businesses sending data to the EU or any other third country granted an adequacy decision by the EU Commission
As a result of the UK retaining existing EU adequacy decisions after Brexit, and the government permitting transfers to the EEA because of their compliance with EU GDPR, the situation is the same as for point one. The 12 third countries that have received adequacy decisions are: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan (for private sector organisations), Jersey, New Zealand, Switzerland and Uruguay – notably not the US.
UK businesses processing data from the EU
After the end of the specified period, which will not be earlier than 1 May 2021, appropriate safeguards must be in place if the EU has not reached an adequacy decision in favour of the UK. For most companies, this will be via the use of SCCs. If you are processing EU data subjects, you may need to appoint an EU representative.
UK businesses that send data to a non-approved third country
Businesses sending data from the UK to a third country other than the EU or one that is adequate (as listed in point two) must ensure that safeguards are in place. For most companies this will be via the use of SCCs.
UK businesses processing data from a third country
If the third country has agreed to maintain unrestricted flows of personal data (which all of the third countries listed in point two – except Andorra – have), then there is no change. From any other country, their national laws should be consulted.
Laura Trapnell is a partner and data protection expert at Paris Smith