Transition Update 1
Where are we now?
31 January 2020
The answer is that the UK is officially out of the EU, but geographically still in Europe. The 'excitement', or was that relief? of Brexit actually happening has passed. So perhaps now would be a good time to take stock - at least in relation to data protection.
The basic message is DON'T PANIC!
What is the current position?
Not a lot has changed because we have entered an 11 month Transition period that will end on 31st December 2020. That means that all the EU rules still apply and that includes the GDPR.
In the words of the ICO, this means it is "... business as usual for data protection." The GDPR is still in force meaning that anyone processing personal data should continue to follow the ICO's existing advice and guidance on their data protection obligations.
During the transition period, companies and organisations that offer goods or services to people in the EU will not need to appoint EU representatives. The ICO will continue to act as the lead supervisory authority for businesses and organisations operating in the UK.
It is not yet known what the data protection regime be after the transition period and inevitably businesses and organisations will continue to have concerns about the future of data flows and the general handling of personal data.
What happens on 1st January 2021?
Post Transition, the UK will be a 'third country' in EU terms and the (EU) GDPR will no longer be part of UK law.
- The UK Government has acknowledged that it will recognise all EEA countries under its own adequacy ruling and incorporate all existing EU adequacy decisions. This will allow organisations within the EU to continue to facilitate data transfers from the UK to these countries.
- GDPR restrictions will apply to personal data transfers into the UK unless the EU establishes that the UK is an “adequate” country. For the EU to do this, the European Commission will have to assess and approve the UK's adequacy. There may not be time for this by 31st January and so organisations need to ensure that they have appropriate safeguards in place for inbound data transfers, such as adopting the EU’s standard contractual clauses in their arrangements with EU based entities.
- Organisations based in both the UK and the EU will need to update their privacy notices to reflect the change to third country status.
The UK Government has said that it plans to continue 'GDPR' post the transition period and the ICO expects that it will be incorporated into UK legislation as the “UK GDPR” and so organisations should maintain their compliance on that basis. However this is not a certainty, so watch this space!
After the transition period, companies and organisations offering goods or services to EU residents, with establishments in the EU or monitoring the behaviour of people located in the EU will still have to comply with the GDPR because of the extra-territorial scope of the legislation.