The implementation of the European Union General Data Protection Regulation (EU-GDPR) in 2016 has redefined the legal landscape for the use of personal information by companies. But while the GDPR is still the go-to legislation for all EU member states, there have been changes in the data protection laws for the UK businesses because of Brexit. Read our overview of the current situation and the new legal requirements for British companies.
The UK’s Data Protection Act (DPA 2018) effectively enshrined GDPR in the UK, regardless of the country’s status within the EU. Prior to Brexit, the use of personal data and the flow of information in the UK needed to comply with the EU-GDPR as applied by the UK’s Data Protection Act (DPA 2018).
Following Brexit, the UK is no longer regulated by the EU-GDPR, as on 1st January 2021 the DPA 2018 was amended and now adopts a standalone UK law that is referred to as UK-GDPR and practically identical to the original EU-GDPR.
The UK version was changed to accommodate domestic areas of law that are, by definition, outside the scope of the European GDPR: national security, intelligence services and immigration.
It is important to mention that the current EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. Therefore, some UK businesses will need to comply with both UK GDPR/DPA 2018 and EU GDPR.
Since 1st January 2021, the United Kingdom has been in a ‘bridge period’ which will last until June 2021 and ensures an uninterrupted data flow with the EU. During this time, the European Commission will assess whether the UK ensures a level of data protection that is essentially the same as the one it grants to all its citizens by the GDPR. The decision will then be re-examined in four years.
In February 2021, the European Commission issued a widely-expected draft adequacy decision, confirming that the current UK legislation regarding personal data protection is considered ‘sufficient’. For the draft to be adopted as an official adequacy decision, however, it still needs to be reviewed by the European Data Protection Board and approved by representatives of each EU member state.
Should the UK not be granted an adequacy decision, however unlikely that currently seems, the Information Commissioner’s Office (ICO) recommends using a legal instrument called Standard Contractual Clauses (SCC) that regulate data transfers between EU and non-EU countries. The ICO offers an interactive online tool that helps SMBs to decide what kind of SCC they should use.