The UK has left the EU and the transition period has now expired. Many businesses will have marked the end of the transition period on their calendars and will have no doubt viewed the government advertisements prompting them to prepare for the change. However, in the midst of the third lockdown, lots of businesses will have failed to take the necessary steps to comply with the new rules.
A key area which will change as a result of the end of the transition period, is the UK data protection regime. As the UK is no longer part of the EU, the General Data Protection Regulation (“GDPR”) will cease to have direct effect in the UK. The UK government has decided to retain a version of the GDPR which, together with the Data Protection Act 2018, will create the new UK data protection rules.
The new UK data protection legislation will be similar to the EU GDPR, but several areas will change. Businesses should now take steps to review their policies, practices and procedures to ensure that they:
- refer to the UK data protection legislation;
- acknowledge that they are no longer part of the EU and that processing will take place in the UK;
- identify if any personal data will be transferred outside of the UK. If so, the business will need to put in place additional safeguards to protect the personal data being transferred;
- identify if any personal data will be transferred to the UK business from an EU exporter. Despite the EU-UK Trade and Cooperation Agreement, businesses may wish to consider what additional safeguards will need to be put in place in the event that no adequacy decision (a finding by the European Commission that the UK offers an adequate level of data protection) comes into effect; and
- appoint an EU based representative if you do not have offices in the EEA but regularly offer goods and services to individuals in the EEA or monitor the behaviour of individuals in the EEA.
We recommend that businesses act now to ensure compliance with the new UK data protection regime. Further information in relation to data protection at the end of the transition period is available from the Information Commissioner’s Office (https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/).
Get in touch
If you would like to discuss any of the issues raised in this article, or would like assistance with data protection, Rebecca Anforth (Senior Associate), would be delighted to hear from you. You can reach Rebecca on 01872 226999 or you can email her email@example.com.
The information provided in this article is a summary for general information purposes only and does not constitute legal or other professional advice and cannot be relied upon as such. Any law quoted in this article is correct as at the above date. Appropriate legal and financial advice should be sought for specific circumstances before any action is taken.