General Data Protection Regulation (GDPR)

Key facts:

  • GDPR has become “UK GDPR” after the transition period ended.
  • Businesses may need to take extra measures to remain compliant with EU GDPR.
  • The Free Trade Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months.
  • The UK Government are seeking adequacy decisions from the European Commission. In the absence of the adequacy decisions, transfer of personal data from the European Economic Area to the UK will need to comply with EU GDPR transfer restrictions.

The EU rules on personal data will remain in UK law, including the powers of the Information Commissioner’s Office. However, a so-called “adequacy decision” from the EU will be needed so all UK businesses can lawfully handle personal data coming from the EU.

Adequacy decision

The GDPR ensures that personal data of individuals is protected when flowing across borders. For example, when a database of client data is sent from an EU country to the UK, or when personal data of EU residents are monitored for commercial purposes or where a UK company has a European presence or European customers.

After leaving the EU, the UK is outside the EU’s enforcement structures and the European Commission cannot fine the UK if it doesn’t keep up with EU GDPR standards, handles data breaches badly, or introduces legislation that goes against the GDPR.

Therefore, the EU is currently assessing if the UK’s data protection standards (UK GDPR) provide an adequate level of protection of EU residents’ personal data. This is called an “adequacy decision” and only regards personal data flowing from the EU to the UK.

The UK will not be treated as a third country for an interim period of four to six months from 1 January 2021. This is to allow time for the European Commission (EC) to finalise its adequacy assessment of the UK. The purpose of the adequacy assessment is for the EC to decide whether the UK provides “essentially equivalent” protection for personal data as the EU and, therefore, whether transfers of data may be permitted without the need for organisations to take further measures.

If there is an adequacy decision, businesses have to just continue to comply with GDPR and no extra measures will be needed, as most of the data protection rules will stay the same. You can keep exchanging personal data with organisations in EU member states and the countries that the EU has deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, USA (Privacy Shield).

No adequacy decision

If there is no adequacy decision during the bridging mechanism in the next 4 to 6 months (i.e. by the end of June 2021), businesses will have to take measures in order to legally receive personal data from EU countries.

If your UK business receives personal data from a processor or a controller in the EU:

  • Build a contract with Standard Contractual clauses – check the tool on the ICO website to determine which set you need.
  • Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). In the absence of adequacy decision, data processed before 1 January 2021 will be subject to the EU GDPR, as it stood on 31 December 2020.
  • Make sure you review your privacy information and documentation to identify any changes that need to be made as a result of the UK exiting the EU.
  • Keep up to date with the latest information and guidance.

If your UK business sells goods or services in the EU, or has European customers or monitors online behaviour of individuals:

  • If your business is only based in the UK but you offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA, you need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a GDPR representative in the EU.  This person will act as your local representative with individuals and data protection authorities in the EU. You will need to find a provider in the EU who offers services as a GDPR representative.  If you have a data protection officer (DPO), this cannot be the same person or one of your processors.
  • Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’).  In the absence of adequacy decision, data processed before 1 January 2021 will be subject to the EU GDPR, as it stood on 31 December 2020.
  • Make sure you review your privacy information and documentation to identify any changes that need to be made as a result of the UK exiting the EU.
  • Keep up to date with the latest information and guidance.

If you are part of a multinational group:

If your UK business has an EU branch or an office:

  • You are advised to adopt the EU’s binding corporate rules on data protection.

These measures are needed if there is no adequacy decision from the EU. However, if such a decision is in place, it can be revoked within 30 days. Therefore, businesses are advised to look into Standard Contractual Clauses, a GDPR representative and corporate rules as part of their contingency planning.

To do

  • Read the UK Government guidance on data protection after leaving the EU.
  • Check the ICO website and the ICO guidance to help businesses be data protection compliant after exiting the EU, and use the contract tool.

What’s next?

If there is an adequacy decision in the next 4 to 6 months, i.e. by the end of April-the end of June 2021, businesses have to just continue to comply with GDPR and no extra measures will be needed, as most of the data protection rules will stay the same. You can keep exchanging personal data with organisations in EU member states and the countries that the EU has deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, USA (Privacy Shield).

In the absence of the adequacy decision, transfers from the EU to the UK will need to comply with EU GDPR transfer rules.

Related Resources