Home / Media Centre / Blogs / Data protection now that the UK has left the EU

Data protection now that the UK has left the EU

Posted onMarch 2021
Share this article
- Share this article on twitter
- Share this article on linkedin

On 31 December 2020, the Brexit transition period came to an end and a new UK data protection regime came into being. Businesses transferring personal data to and from other countries – which of course may include transfers to overseas service providers who host personal data outside the UK - will need to address how they continue to do this under the new regime.

Prior to Brexit, UK data protection law was principally governed by the General Data Protection Regulation (EU GDPR), which created a harmonised legal framework regulating the way in which personal data is collected, used, and shared throughout the EU. In addition, the EU GDPR was supplemented by the UK Data Protection Act 2018 (UK DPA) which exercised a number of provisions within the EU GDPR and covered additional matters beyond the scope of the EU GDPR (such as law enforcement processing and intelligence services processing).

However, following 31 December 2020, the EU GDPR ceased to directly apply to the UK, but effectively became part of UK domestic law. In order to ensure that it works in a UK context, various amendments were made to the EU GDPR by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This amended version of the EU GDPR is what is now commonly known as the "UK GDPR". It has very similar terms to the original EU GDPR, but stands separate to the EU GDPR as part of UK domestic law. Alongside the creation of the UK GDPR, various consequential amendments were also made to the UK DPA so that they work with each other.

Will your business need to comply with both the EU GDPR and the UK GDPR?

If you are a UK business that deals with the personal data of individuals situated both in the UK and the EU, it is likely that you will have to comply with both the EU GDPR and the UK GDPR and risk dual enforcement action from both respective data protection authorities in the event of any breach.

By way of example, if you are a business based in the UK that does not have any branches, offices or other establishments in the EU, but you are offering goods and services to individuals in the EU or you monitor the behaviour of individuals in the EU, as you are required by the EU GDPR to appoint an EU based representative to act on your behalf in respect of your EU GDPR compliance. Therefore you may need to be conscious of whether your business falls within one or both regimes, as there may be additional compliance requirements that need to be addressed.

Data Transfers from the EU to the UK

A common concern pre-Brexit was that once the UK left the EU, the European Commission would decide that the UK did not offer an adequate level of data protection and thus transfers of personal data from the EU to the UK would require further transfer mechanisms in order to remain lawful.

This issue was addressed in the EU-UK Trade and Cooperation Agreement, which declared that whilst the European Commission continued its assessment of the adequacy of the UK data protection regime, transfers to the UK are to be considered as if they were still transfers within the EU.

This means that if your business is receiving personal data from organisations situated in the EU, it will not need to make any changes to its current arrangements for the time being. However, this interim solution is only for a limited period of up to four months (extendable to six months) so the current arrangements could potentially end at the end of April or June 2021 depending on the results of this adequacy assessment.

With this in mind, it should be noted that on 19 February 2021, the European Commission published its draft decision on the UK’s adequacy under the EU GDPR and the Law Enforcement Directive and found the UK to be adequate. The draft decision will now be considered by the European Data Protection Board and a committee of the 27 EU states. If the committee approves the draft decision, then the European Commission will formally adopt it. In the meantime, the UK effectively has to maintain its existing data protection regime during this interim period and can only amend it in limited circumstances.

Data Transfers from the UK to the EU

If your business is transferring personal data to an organisation in the EU, the UK Government have confirmed that it deems the EU member states to provide an adequate level of protection for personal data, and so personal data flows from the UK to the EU can continue without additional transfer mechanisms. This decision will be kept under review. Minor updates will nevertheless still generally be required to most businesses’ privacy notices and other documentation to reflect the changes brought about by Brexit.

Going forward however, now the transitional period has ended, the UK will have the ability for its data protection laws to develop independently of the EU GDPR, and to enter into its own independent arrangements with countries outside of the EU. It will therefore be important for businesses to take care in evaluating and applying the separate UK and EU regimes and to stay up to date with changes in both as they diverge over time and take separate identities

Here to Help

For advice in respect of the UK data protection regime, please contact either James Sarjantson on 0113 201 0401 – ku.oc1714131439.fcl@1714131439nostn1714131439ajras1714131439j1714131439 or Thomas Taylor on 0113 204 0407 – ku.oc1714131439.fcl@1714131439rolya1714131439tt1714131439

Get in touch

Written by Thomas Taylor

Recommended by our clients

We as a family were looked after amazingly well.

M

M. Patchett
Everyone was brilliant and extremely helpful. Talked us through everything and gave us great advice

A

A. Stead
We’ve been with LCF for many years and you are always on the ball!
We always receive a warm welcome at reception from the “girls” and a very professional team dealing with clients.

S

S & C. Robinson
The service received from LCF was excellent and I couldn’t have asked for better lawyers to assist me in what I needed to have done. Amjed and Anisha are both assets to the firm.

I

I. Mir
We have used both conveyancing and personal law and have been extremely satisfied with both departments. We found staff to be professional and efficient and have recommended you to others based on our experience.

Y

Y. Grant
Ann Christian was brilliant and pleasant to work with.

A

A. Patel
Fabulous service through out the whole process.

N

N. Baldry
The whole process from start to finish was impeccable. Jo was truly amazing. Wouldn’t use any other law firm.

G

G Bray
I personally do not think you could improve on your service. My whole experience was excellent and I was made to feel at ease immediately starting with your receptionist. Ann was brilliant in explaining things to me and was very friendly and professional at all times. I would certainly recommend you to friends.

B

B. Chinque
I’ve used LCF for many years and no matter which department I have had to use the level of service has always been high.

C

C. Davitt