What happens to GDPR in the UK after the January 31st Brexit date?
On the 31st of January, Britain officially starts leaving the EU. From there, it enters an 11-month transitional period ending on December 31st, 2020. But does this change anything about the EU data protection laws that have until now applied to the UK? And will companies need to update their data protection standards?
EU GDPR came into force in May 2018 and has done a lot to influence data controllers and processors to be more careful with personal data. Personal data is defined as anything that can identify an individual. This ranges from information such as an individual’s name and address to things such as their company and job title.
The short answer is that nothing will change. EU GDPR will still apply to the UK for the entirety of the transitional period. It will also apply for any extension of that transitional period.
After the Transition Period
So, what happens to EU GDPR post Brexit? Once the transitional period is over, EU GDPR will technically no longer apply to the UK. However, the current plan is for a revised version of the regulations called UK GDPR to come into force.
In doing this, the UK essentially absorbs the EU GDRP into its own domestic law. This means many of the regulations will stay the same. Most changes relate to references to EU-specific terminology. As these will no longer be relevant to the UK once it’s left the bloc, the new law replaces them with applicable domestic references.
The revisions also deal with data transfers from the post-Brexit UK to other countries. New clauses recognise all countries that abide by the EU GDPR standard as having adequate data privacy standards. This allows the UK to transfer data to them without extra safeguards. For countries outside of this classification, the UK will need to confirm adequacy status with them on an individual basis.1
Things are not so straightforward for transfers going the other way, though. After Brexit, the EU will class the UK as a ‘third country’. This means that EU companies will need extra data protection safeguards when transferring data to the UK. This will affect businesses that operate in the EU or have EU-based customers.
To prevent this, the UK will have to achieve adequacy status. According to the official website of the EU, this means:
The European Commission has the power to determine whether a country outside the EU offers adequate data protection... The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguards.
If the UK’s revisions to EU GDPR are as minor as they currently appear, this may not be too much of an issue.
In Closing
In the short term, little will change about how data protection laws affect UK companies. And if the current plan stays the same, not much will change in the long term either. During the transitional period, GDPR still applies to the UK. And after that, the UK plans to absorb GDPR into its domestic law. Data protection is going to remain much the same.
One thing to note is that the UK must now agree on adequacy status with countries outside the EEA of its own accord. It’s hard to predict what impact this will have at this point in time.
There is a chance that some of this information could change during the transitional period. If any significant amendments take place, we’ll be sure to update this article.
1 These are the countries outside of the EU/EEA that have to date achieved adequacy status: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework)