After 47 years, 31 December 2020 saw the UK finally depart the European Union single market. A new trade deal of course has been struck, which brings significant changes for businesses who trade with Europe, but many issues still need to be negotiated in the coming months; one of these being around data and how it is held and transferred between the UK and EU moving forward.
UK data protection law was previously governed by the GDPR, and has been since it was introduced in 2018. This ceases to have direct effect as of 1 January 2021, but as the UK is committing to maintaining an equivalent data protection standard, the UK-GDPR will apply going forwards. The Data Protection Act 2018 (DPA 2018) also remains in place with some technical amendments.
The UK-GDPR is essentially a duplicate of the GDPR, containing all of the same obligations and duties, but tailored specifically for the UK. Processing previously covered by the GDPR now falls under the UK-GDPR. For businesses operating solely in the UK, in practice there is little change to the core data protection principles, rights and obligations, but there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK Government are currently seeking adequacy from the European Commission – a recognition that UK laws provide a level of data protection that matches the GDPR, and granting the country a special status of adequacy. A number of countries have already been granted adequacy, meaning that transfers of data can take place between the third country (a state that falls out of the GDPR zone) and the EEA as if the country were a member state, effectively.
As part of the trade deal, the EU has agreed to delay data transfer restrictions for at least four months, potentially extending to six (known as the bridge). This means that the UK isn’t considered as a third country as yet, and the personal information of EU citizens will continue to be sent freely to the UK, until an agreement on adequacy is reached.
Time to Act
If you receive personal data from the EEA, it’s recommended that you put alternative safeguards in place before the end of April, if you haven’t done so already. Whilst it is hoped that adequacy will be approved, it is not a done deal and businesses should be mindful of the fact that the GDPR will still apply to you if you offer goods or services to persons in the EEA in terms of how data is processed. It will also apply to organisations in Europe who send data to you, as they will need to comply with UK legislation, if the trade deal bridge ends without adequacy.
If you require further information relating to the data protection obligations of your business, please contact Farleys Solicitors on 0845 287 0939 or contact us by email.