When the General Data Protection Regulation (GDPR) came into effect on 25 May 2018, it standardised data protection rules across the European Union and improved the rights of individuals with regards to the use of their personal data.
Since then, organisations have endeavoured to improve their own data protection processes, implementing new measures to comply with this landmark legislation.
But the UK is no longer part of the European Union and, as a result, isn’t subject to EU laws introduced after the 31 January 2020 withdrawal date. So, does that mean a post-Brexit UK is still bound to GDPR?
To clear up any confusion, we’ve gathered some common queries regarding the matter below.
Will GDPR rules still apply in the UK?
In a word: yes. The UK was a long-time proponent of robust data protection laws, and was one of the principal architects of GDPR.
As a result, the UK government was always of the position that GDPR would be absorbed into UK domestic law, which was eventually done as part of the European Withdrawal Agreement.
So, as it’s an EU regulation, the EU GDPR ceased to apply in the UK. However, if your business operates inside the UK, it will need to comply with UK data protection law, since the UK government’s incorporation of GDPR into UK law as the UK GDPR.
Because of this, very little has changed. To reflect the UK’s new status outside of the EU, certain amendments have been made, but the core data protection, principles and obligations of the GDPR remain largely the same.
Will the GDPR still apply to businesses operating in the European Economic Area (EEA)?
Your business is still bound by EU GDPR if any of the following apply:
- Your business operates in Europe
- You offer goods or services to individuals in Europe
- You monitor the behaviour of individuals in Europe
Regardless of UK domestic law and irrespective of any agreements made after Brexit, UK companies still need to adhere to GDPR in full. Additionally, UK companies may need to liaise with an EU data protection authority in the event of a data incident – it’s always a good idea to stay up to speed with any enforcement across the Bloc, as a result.
Meanwhile, if your organisation has processing activities in both the EU and the UK, you will need to comply with both the UK GDPR and the EU GDPR.
How does Brexit affect international data transfers?
As part of the new trade deal, the EU has agreed to delay transfer restrictions for a limited period of up to four months, which can be extended to six. This enables personal data to flow freely from the European Economic Area to the UK until an ‘adequacy’ decision has been made.
Since leaving the EU, we are now classed as a ‘third country’ under EU GDPR. Third countries are states that fall outside of the EU GDPR zone. Data transfers from the EU to third countries are subject to restrictions unless the European grants a status known as ‘adequacy’.
This status is awarded to countries deemed to have an adequate level of data protection. Other countries awarded adequacy status by the EU include Argentina, New Zealand, Israel and Japan. If the UK is granted adequacy, the free flow of personal data will continue, free from further restrictions or requirements.
If none of the above applies, a UK-based business wishing to transfer personal data abroad will have to rely on the same alternatives which were mentioned when GDPR came into effect in 2018.
What would have happened in the event of No Deal?
It’s clear now that we’ve avoided a ‘no deal Brexit’. The UK government stated that in the event of a ‘no deal’, it would have allowed data flow from the UK countries in the EEA. However, the EU would have most probably banned data transfers to the UK as soon as it left the union.
The Information Commissioner’s Office, the UK regulator responsible for data protection enforcement, warned around the time that any organisations relying on EEA data transfers would have to move to alternative mechanisms should a ‘no deal Brexit’ have gone ahead.
Will the EU be adequate for data transfers from the UK?
Yes, the UK government has confirmed that it will transitionally recognise the EU as adequate to allow for data flows from the UK without any additional transfer mechanisms.
Will businesses require a European representative?
If your business offers goods or services to individuals in the EEA or you monitor the behaviour of individuals in the EEA, then you might need to appoint an EU representative.
These representatives act as your local presence in the EEA, working with individuals and local supervisory authorities in that area. Organisations will need to update their privacy notice with the details of their EU Representative and advise the Local Supervisory Authority.
Likewise, if your business is based in the UK but you process the personal data of UK citizens, you will need to appoint a UK representative under the UK GDPR. Public authorities or those with occasional or low-risk data transfers will not need to appoint a representative.
What will the Information Commissioner’s Office be?
Now that the UK is outside the EU, and beyond the scope of the European Court of Justice, the Information Commissioner’s Office will remain the independent supervisory body governing the UK’s data protection legislation.
That said, it will no longer be an EU supervisory authority. As stated above, if you process the data of EU citizens, you will need to have a nominated EU representative. The ICO has clearly stated that if you handle EU citizens’ data, you will still need to comply with the GDPR.
Who needs to be notified in the event of a data breach?
In the event of data breaches, UK-based companies should contact the ICO. Following Brexit, the ICO will only investigate data protection-related incidents that involve UK individuals.
Should the breach involve several different nationalities, the ICO will launch an investigation and deal with the Supervisory Authorities in each of the affected territories. If European Economic Commission data subjects are involved, you must contact the relevant EU Supervisory Authorities directly.
CDL is one of the UK’s leading IT disposal companies, working to help private and public businesses safely retire and recycle their outdated IT assets. To find out how we could help your business, or for more of the latest tech news and advice, visit our homepage or call our team today on 0333 060 2846.