The UK GDPR will be integrated directly into UK law from the end of the current transition period, which ends as of 31st December 2020 and will sit together and in co-operation with the current UK Data Protection Act 2018. At the end of the transition period, there will be both the current EU GDPR as well as a UK GDPR. The Withdrawal Agreement includes technical amendments to the current GDPR, so that it will work in a UK-only conditions
- The ICO has stated that it will not impose restrictions on data flowing from the UK to the EU. Whether this continues to stand after the end of the transition period remains to be seen.
- The ICO will recognise binding corporate rules authorised under the EU process until the end of the transition period, to ensure appropriate safeguards for transfers from the UK. However, organisations that have a UK lead company will need to revisit their binding corporate rules (BCRs) to find an EU lead company in their group post transition.
How will cross border transfers of personal data from the UK to other third countries be affected after the transition?
- The US Department of Commerce announced that the Privacy Shield will continue to apply to UK data transfers throughout 2020, but all US organisations under the Privacy Shield scheme must update their public commitment to comply with the Privacy Shield to include the UK. These public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on the US Privacy Shield.
- The UK government intends to recognise the EU adequacy decisions that the European Commission made prior to the withdrawal date. This will allow transfers to continue to most organisations, countries, territories, or sectors covered by an EU adequacy decision after UK withdrawal.
- Data transfer agreements may need to be reviewed to ensure they cover UK to third-country data flows, since the vast majority of transfer agreements were drafted with the assumption that UK was part of the EU, which is no longer the case.
What will be the impact on EU and UK companies at the end of the transition period?
- At the end of the transition period, the EU GDPR and UK GDPR will both be in force, and companies will be subject to both regimes if they are:
- Established in the UK and the EEA
- Established in the UK, and offer goods and services to, or monitor the behaviour of, individuals in the EEA
- Established in the EEA, and offer and offer goods and services to, or monitor the behaviour of, individuals in the UK
- Established outside of the UK and EEA, but offer goods and services to, or monitor the behaviour of, individuals in the UK and EEA
Will UK and EU businesses need to appoint Article 27 GDPR representatives?
- Once the transition period has ended, UK organisations without an EEA presence and subject to jurisdiction under Article 3(2) EU GDPR will be required to appoint an EU-based legal representative if they offer goods and services to data subjects in Member States or monitor the behaviour of data subjects in Member States.
- Conversely, organisations that do not have a UK presence, and are subject to the UK GDPR and offer goods or services to UK users, will need to appoint a UK representative under Article 27 UK GDPR.