Post-Brexit data protection – where are we now?

By Cameron Abbott and Michelle Aggromito

After years of political squabble and delays, Brexit day finally arrived on 31 January 2020. But what does it mean when we talk about the UK’s withdrawal from the EU and how will data protection regulation and compliance change?

There will be little change during the transition (also known as “implementation”) period that is expected to end on 31 December 2020. During this period, EU law will continue to apply in the UK, including the EU General Data Protection Regulation (GDPR), after which the GDPR will be converted into UK law.

Assuming all goes to plan (which is almost impossible where Brexit is concerned), the UK will be a “third country” under the GDPR from 2021. What does this mean for data flows in and out of the UK?

• The UK Government has acknowledged that it will recognise all EEA countries under its own adequacy ruling and incorporate all existing EU adequacy decisions. This will allow organisations within the EU to continue facilitate data transfers from the UK to these countries;
• GDPR restrictions will apply to personal data being transferred into the UK unless the EU establishes that the UK is an “adequate” country. This will require the European Commission to assess and approve the UK for adequacy. This is unlikely to get across the line by this time and so organisations should ensure that they have implemented appropriate safeguards for inbound data transfers, such as adopting the EU’s standard contractual clauses in its arrangements with EU based entities; and
• Organisations based in both the UK and the EU will need to update their privacy notices to reflect the change in status.

The UK Government has said that it plans to continue GDPR post the transition period and so organisations should maintain their compliance on that basis. However, if Brexit has taught us one thing, it’s that we can never be certain so watch this space!