The legal position on GDPR and personal data transfer between the UK and the EEA have changed post-Brexit as follows:
EU GDPR Regulation
As an EU Regulation, EU GDPR no longer applies to the UK. However, if you operate inside the UK, you will still need to comply with UK data protection law. The EU GDPR has been incorporated into UK data protection law (the UK GDPR) and so in practice, there is little change to the core data protection principles, rights and obligations found. The EU GDPR may also still apply directly to you if you operate in the European Economic Area/EEA, offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. The EU GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the UK GDPR, in the event that the trade deal ‘Bridge’ ends without ‘Adequacy’ (see below).
Data Protection Act 2018 (DPA)
This piece of UK legislation continues to apply. The UK GDPR sits alongside the DPA with some technical amendments so that it works in a UK-only context.
Transfers of data from the UK to the EEA
Transfers of data from the UK to the European Economic Area (EEA) are not restricted.
Transfers of data from the EEA to the UK
The EU agreed to delay transfer restrictions from the EEA to the UK for at least four months, which can be extended to six months (known as the ‘Bridge’). This enables personal data to flow freely from the EEA to the UK until either Adequacy decisions are adopted, or the Bridge ends. ‘Adequacy’ is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. Unless the EU Commission makes an Adequacy decision before the Bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what safeguards you can put in place to ensure that data can continue to flow into the UK.
What do you need to do now?
If you currently receive personal data from the EEA and you want to ensure that data flow processes remain uninterrupted, you should put alternative safeguards in place (such as standard model data privacy clauses in your contract with the EEA transferor) before the end of April, if you haven’t done so already. We can assist with this in order to provide the necessary assurance to the EEA transferor. Alternatively, if you would like us to check your privacy notices to ensure that they are still compliant or if you are unsure as to your legal position in relation to data transfers, we can give you a steer on what you may need to do.