Data Protection – where are we now?
The UK and EU finalized the EU-UK Trade and Cooperation Agreement (the Agreement) setting out the post-Brexit relationship on 24 December 2020. The transition period ended on 31 December 2020. This article briefly outlines the current legal position for UK controllers.
Please note that the position differs for UK processors and non-UK controllers/processors.
If you are a UK controller processing personal data on individuals in the UK
The UK has converted the EU General Data Protection Regulation (the EU GDPR) into domestic law, with some minor technical amendments to ensure it is operable in the UK. This is referred to as the UK GDPR.
You will need to comply with the UK GDPR and the UK’s Data Protection Act 2018 when you process personal data of individuals located in the UK.
If you are a UK controller processing personal data on individuals outside the UK
You will need to comply with the UK GDPR when you process personal data on individuals located outside the UK, whether the processing takes place in the UK or not.
The EU GDPR will also apply if you are processing personal data of data subjects who are in the EU where the processing activities are related to:
(a) the offering of goods or services to data subjects in the EU; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the EU.
Crucially, until an adequacy decision is adopted by the EU and comes into effect, you will also need to comply with the GDPR law applicable on the last day of the transition period (i.e. 31 December 2020) in relation to any “legacy personal data”. Legacy personal data is the personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:
• it was acquired before the end of the transition period and processed under EU data protection law; or
• it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example, if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.
In some limited circumstances, you may be required to designate an EU representative.
If you transfer personal data from the UK to the European Economic Area (EEA)
The UK Government had previously announced that it considers that the EEA provides adequate protection for personal data. Consequently, personal data can freely flow from the UK to the EEA. However, you may need to put in place agreements to formalise the processing,
If you receive personal data from organisations in the EEA
The UK and EU have agreed a temporary “bridging mechanism” to allow the continued flow of personal data from the EEA to the UK until an adequacy decision comes into effect, for up to 6 months.
The UK Government and the Information Commissioner’s Office have recommended that as a sensible precaution, before and during the bridging mechanism, you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.
The law is complex and likely to develop further. If you would like to know more about the impact on your organisation, and how to manage the changes, please get in touch below.