General Data Protection Regulation (GDPR)

Key facts:

  • GDPR will become “UK GDPR” after the transition period ends.
  • Businesses may need to take extra measures to remain compliant with EU GDPR.
  • The UK and the EU to negotiate a Security of Information Agreement.

The EU rules on personal data will remain in UK law, including the powers of the Information Commissioner’s Office. However, a so-called “adequacy decision” from the EU will be needed so all UK businesses can lawfully handle personal data coming from the EU.

Adequacy decision

The GDPR ensures that personal data of individuals is protected when flowing across borders. For example, when a database of client data is sent from an EU country to the UK, or when personal data of EU residents are monitored for commercial purposes.

After the transition period ends, the UK will be outside the EU’s enforcement structures and the European Commission cannot fine the UK if it doesn’t keep up with EU GDPR standards, handles data breaches badly, or introduces legislation that goes against the GDPR.

Therefore, the EU will assess if the UK’s data protection standards (UK GDPR) provide an adequate level of protection of EU residents’ personal data. This is called an “adequacy decision” and only regards personal data flowing from the EU to the UK.

If there is an adequacy decision, businesses have to just continue to comply with GDPR and no extra measures will be needed. You can keep exchanging personal data with organisations in EU member states and the countries that the EU has deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, USA (Privacy Shield).

No adequacy decision

If there is no adequacy decision by the time the transition period ends, some businesses will have to take measures in order to legally receive personal data from EU countries.

If you receive personal data from a processor or a controller in the EU:

  • Build a contract with Standard Contractual clauses – check the tool on the ICO website to determine which set you need.

If you sell goods or services in the EU, or monitor online behaviour of individuals:

  • You will need a GDPR representative in the EU.

If you are part of a multinational group:

  • You are advised to adopt their binding corporate rules on data protection.

These measures are needed if there is no adequacy decision from the EU. However, if such a decision is in place, it can be revoked within 30 days. Therefore, businesses are advised to look into Standard Contractual Clauses, a GDPR representative and corporate rules as part of their contingency planning.

To do

What’s next?

The aim is to have an adequacy decision before the transition period ends, but this is not
guaranteed. The UK may also devise a policy for personal data of UK residents crossing the borders. At a later stage, the EU and the UK are expected to conclude a Security of Information Agreement that will include free flow of personal data, among others.

Disclaimer At the time of writing, the transition period ends on 31 December 2020, and the changes outlined in this fact sheet will occur from 1 January 2021. If that date slips, the changes will still happen, but at a later date. For latest updates go to www.gov.uk/transition.

Related Resources

Mayor of London TechInvest: Black Founders in Tech
Resource

Mayor of London TechInvest: Black Founders in Tech

Support to showcase tech innovation in London.

Allia Grow Your Business Programme
Resource

Allia Grow Your Business Programme

Support for small businesses in East London to grow and create jobs.

Meet the Buyer: Food Innovations
Resource

Meet the Buyer: Food Innovations

Support for SMEs creating a positive environmental impact through food innovations.