On the 31 December 2020, the Brexit Transition period ended meaning that from 1 January 2021, the UK has been able to amend UK employment legislation underpinned by European law. The UK’s Data Protection Act 2018 is one example, which is underpinned by the European GDPR.
This hot topic considers the impact of having left the EU on the UK’s Data Protection Act 2018 and the flow of personal data in and out from the UK and EU. Any reference to ‘data’ in this article means ‘personal data’.
Data Protection before Brexit
The GDPR is an EU directive which applies to all organisations that are based in, or do business in the EU, regardless of size or sector. It was introduced in 2018 to bring about one single set of data protection regulations applicable to all EU member states in the same way. It also applies to competitors based outside of the EU in respect of any personal data that they process which belongs to EU data subjects.
In terms of the transfer of personal data, the GDPR required all organisations that were involved in the transfer of personal data must:
- Have a lawful ground for processing that personal data
- Provide certain information to data subjects
- Complete a data protection impact assessment where the transfer poses a high risk.
Data Protection Act 2018
The Data Protection Act 2018 (DPA) is the UK’s current law governing the protection of personal data. The content is primarily derived from the General Data Protection Regulation (GDPR) as the UK was required to adopt the GDPR back in 2018. Even though the UK has had data protection laws in place for some time; it is the DPA of 2018 which includes requirements set under the European GDPR directive.
Data Protection after Brexit
Throughout the Brexit trade negotiations, the UK Government have committed to ensuring that the UK maintain the high standards of data protection moving forward. A consequence of the transition period having ended is that the UK are free to amend or remove any of the existing employment rights which derive from the EU and so, the UK is free to make any changes to the DPA as it deems necessary.
The UK GDPR is new and is the UK’s version of the retained GDPR and came about as part of the European Union Withdrawal Act 2018 and as amended by schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU exit) Regulations 2019.
It has also been defined in section 3(10) of the DPA 2018 which means that from 1 January 2021 for UK based organisations, the legal frameworks for managing personal data come from both the DPA 2018 and the UK GDPR.
This may seem a duplication and it may well be that in time, these two pieces of legislation become amalgamated. But at present, the requirements laid down in both pieces of legislation must be adhered to.
The UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to offering goods/services to individuals in the UK or monitoring the behaviour of individuals taking place in the UK.
Key Change Following Brexit
When the UK was part of the EU and EEA, data could be transferred freely between all other member states governed by the GDPR. However, with the UK now being outside of the EU and EEA, it means that the GDPR now regards the UK as a ‘third country’ and so technically the free transfer of data ended, and additional safeguards are required to enable the flow of data to continue.
Although the UK is now classed as a ‘third country’, data transferred (sent) from UK organisations to members of the EEA have not been restricted thanks to provisions under the withdrawal arrangement. Plus, under the trade deal, the EU will temporarily delay restrictions on data received by UK organisations from those in the EEA for four to six months.
So, even though from 1 January the UK became a third country for the purpose of GDPR, UK organisations may still send and receive personal data from the EEA, for the time being, giving UK businesses more time to prepare.
It is hoped that during this time, the UK will receive what is known as an ‘adequacy decision’ which is essentially approval from the European Commission that the UK is a country which protects personal data up to the standards of the EU GDPR – and so is safe to freely send data to without organisations having to put their own safeguards in place. As the UK has essentially adopted the GDPR (the UK GDPR) it is fully expected that this will be the case.
Welcomingly, on 21 February 2021, the European Commission published its draft decisions and found the UK to be adequate. This draft decision must now be considered by the European Data Protection Board and a committee of the 27 EU Member Governments. If they approve the draft decision, it means the European Commission can formally adopt them as legal adequacy decisions, meaning the UK will be able to allow the free flow of data under the EU GDPR transfer rules as it has done so in the past. Whereas should the adequacy decision not be adopted then the UK must comply with the EU GDPR transfer restrictions, as are currently in place for all other third countries.
Get further information and guidance by reading the full article, at https://www.hrsolutions-uk.com/data-and-gdpr-implications-brexit, where we also cover the following:
- Potential Implications for International Data Transfers
- International Transfer Requirements
- What Next?
- Practical Considerations
- Further Information on how to conduct a data and compliance risk audit.
Further HR Guidance
- Webinar Recording: you can watch the HR Solutions webinar about “Data and GDPR”, and download the webinar slides, at https://www.hrsolutions-uk.com/services/data-and-gdpr-after-brexit.