In the midst of the pandemic, the opening days of 2021 also saw a major change in the legal relationship between the UK and the EU, as the Brexit transition period came to an end at 11pm on 31 December 2020. In this blog, our Partner and data privacy legal expert, Obi Nwokedi, reviews the immediate impact for businesses in protecting personal data.

From the 1st January 2021 the EU GDPR no longer applies to the UK. However it has been retained in UK domestic law as the ‘UK GDPR’. The good news is that the Trade and Cooperation Agreement (TCA) agreed between the UK and European Union on Christmas Eve addresses the issue of personal data protection, including agreement that data can continue to flow freely between the EEA and the UK after 2020.

However, there are still some important implications for UK controllers and processors, in particular:

Transfers
  • EEA to UK:- data can continue to flow freely between the EEA & UK. NOTE: this is not an “adequacy” decision but a “bridging mechanism” to allow flow of data until such time as an adequacy decision is made;
  • UK to EEA:- UK government has transitionally recognised all EEA countries as ‘adequate’ under UK law which for now will allow data flows from the UK to the EEA to continue under UK law.
Standards

In theory there ought to be no lowering of standards in the UK GDPR relative to the EU GDPR. The TCA contains a commitment by both sides to maintain high standards of data protection.

One stop shop

This mechanism is no longer available to UK data controllers. However, the TCA provides for co-operation between the ICO and EU Supervisory Authorities, including through the agreement of supplementary provisions to the TCA.

UK GDPR Extra-territorial scope

Organisations based outside the UK but “established” in the UK, or offering goods or monitoring behaviour of UK citizens will have to comply with the UK GDPR.

Drafting Considerations

Controllers and processors should consider the impact on Data Processing Agreements (DPAs), Records of Processing Activities (RoPA), Data Privacy Impact Assessments (DPIAs), Policies and Breach Reports and where appropriate amend these to reflect the fact that the UK is no longer an EU Member State.

Legacy Data

The Withdrawal Agreement requires continued application of EU GDPR to personal data of non-UK individuals acquired prior to end of the Implementation Period.

Our View

Leaving the politics of Brexit aside for a moment, the TCA is a welcome development at the end of what for businesses has been a fraught and often very difficult 4.5 years since the UK voted to leave the EU in 2016. From a data protection perspective, the TCA offers stability, an effective data transfer mechanism, processes for ensuring continuing alignment of data protection standards and the ability for wider and closer cooperation between the UK and EU in the future.

We can help

If you’re currently reviewing your data protection or privacy procedures as a result of Brexit or digital transformation, we can help! As experts with decades of experience, you can take advantage of a free 30 minute consultation with us to ensure you’re on the right track. To find out more and book your session, go to our contact us page.