Data protection Brexit update – boring but important!
6 January 2021
Although the UK left the EU at midnight on 31 January 2020, we didn't feel the impact of our departure because EU law continued to apply in the UK during the Brexit transition period. That period ended at 11 pm on 31 December 2020 and, while there are still areas of uncertainty in terms of data protection law, we know a fair bit about what UK data protection law now looks like.
The GDPR remains part of UK law – as the UK GDPR – with some changes which are necessary to reflect the fact that the UK is no longer part of the EU and is instead a 'Third Country'. The Data Protection Act 2018 also continues to apply with some minor changes.
So if you were GDPR-compliant on 31 December 2020 you will still be largely UK GDPR-compliant from 1 January 2021, at least in the short-term.
Despite this, every data controller in the UK will need to undertake some data protection housekeeping early in 2021. This will involve reviewing your data protection documents and updating references to EU law, institutions, terminology and definitions. The documents you should review include:
- privacy notices for staff, parents/pupils and others;
- policy documents;
- processor terms;
- data sharing agreements; and
- standard contractual clauses.
You should also consider the impact of the UK becoming a Third Country on any international transfers of personal data to which you are a party.
- If you send personal data to the EEA, you will still be able to do so without taking any additional steps.
- If you receive personal data from the EEA, the sender of that information will need to put in place appropriate safeguards and is likely to ask you to cooperate with them to ensure the transfer to the UK is lawful.
- If you offer services to individuals based in the EEA, you will need to comply with the EU GDPR and the UK GDPR and appoint a local representative to liaise with EU customers and regulatory authorities and keep records of your processing activities. Your privacy notice should reflect this.
- The rules for sending personal data to non-EEA countries (or receiving data from non-EEA countries) will remain largely unchanged.
- The EU-US Privacy Shield has recently been judged inadequate by the European Court of Justice. If you transfer personal data to the US in reliance on the Privacy Shield, you will need to find an alternative way of providing adequate safeguards for the transfer.
If you need help reviewing your documents or ensuring the legality of your international transfers of personal data, please contact Debbie Ashenhurst or your usual Wilsons contact.