What next for GDPR?

In case you missed it, United Kingdom left the European Union on 31^st January 2020 and entered the implementation or transition period which is scheduled to last until 31^st December 2020. As part of the preparations for the departure, the UK government has passed the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

The potential effect of the UK’s departure from a data protection perspective will be different for each business depending on its client base and areas of operation. There should however be little impact during the transition period.

In 2020, EU GDPR will continue to apply domestically to the UK in addition to the Data Protection Act 2018, an amended version of that Act also took effect 31 January 2020.

UK GDPR, which will become the relevant regulations in the UK at the end of the implementation period, will maintain the data protection standards that currently exist under EU GDPR which will cease to apply.

The core provisions of EU GDPR all remain the same under the newly introduced UK GDPR, including:

The principles relating to the processing of personal data and the lawfulness of processing (Article 5);
The rules around the processing of special categories of personal data (Article 9), also known as sensitive personal data such as data on race, political opinions, religious or philosophical beliefs, biometric data, sexual orientation and more;
The conditions for consent (with the exception of the valid age of consent which has been lowered to 13 years in the UK GDPR from 16 years)
The rights of the data subject including the right to access, right to be forgotten, right to data portability and the right to rectification etc

The Data Protection Act 2018 will no longer rely on the EU GDPR, but on the UK GDPR instead. This means that when the transition period ends, UK citizens will be protected by a comprehensive data protection regime that is made up of the both the UK GDPR that (like the EU GDPR does today) defines what personal data is and how it is allowed to be processed. The Data Protection Act 2018, which supplements the domestic GDPR and extends beyond it as well.

The EU version of GDPR will continue to apply in the EU, as well any business anywhere in the world processing the data of or targeting EU citizens. This means that if a company based in the UK has EU customers, or a website based in the UK has visitors from the EU, it will then have to comply with both the EU GDPR and the UK GDPR.

Data law in the UK will no longer be supervised or enforced by the European Data Protection Board (EDPB), rather, the ICO will supervise and enforce domestic UK GDPR and the Data Protection Act 2018 in the UK.

GDPR introduced the concept of a one-stop-shop for data protection regulation across the EU. In the UK, the ICO is the supervisory authority. If your business engages in cross-border processing, which is the transfer or processing of data across the EU, the one-stop-shop allowed you to deal with just one supervisory authority, for example the ICO, rather than 28. Similarly, if you’re based in France but also deal with UK data, the French authority could be your lead authority. This will change.

After the transition period ends, if your organisation is involved in cross-border processing involving EU citizens data, it is likely it will need to appoint another supervisory authority in the EU.

Similarly, if you deal with any UK data but haven’t been in touch with the ICO until now, you should do so. Businesses are expected to use the time until the end of 2020 to prepare for post-Brexit data protection laws, so it is worth taking the time to get prepared now.

Until now, non-European countries that deal with EU data had to appoint a representative somewhere in the European Union to act as the point of contact for their EU customers and to deal with the supervisory authority. Now with the UK leaving the EU, UK-based organisations will have to do the same. Further, companies that are based outside the UK but collect data from the UK citizens will have to appoint a UK representative.

This UK representative is who you would notify if there has been a data breach. This is important when dealing with the data of countries from other citizens and the extraterritorial nature of GDPR. UK companies processing or targeting EU citizens are obliged to notify the supervisory authority of breaches of personal data under GDPR.

What should you do now?

Establish your organisation’s exposure to GDPR
Organisations that only process the data of people in the UK need to comply with UK GDPR and the Data Protection Act 2018
Organisations that process the data of people in the EU need to comply with EU GDPR
If your business processes data from data subjects based in the EU or has operations in the EU, be prepared to appoint a representative in the EU to liase with an EU supervisory authority after the end of the transition period expected to be 1 January 2021.

- David Morrison
- Senior Lawyer
- 01689 887838
- View profile

Although correct at the time of publication, the contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.

How can we help?

Please send us your enquiry in the form below and we'll get back to you as soon as possible

Forename Please enter your forename

Surname Please enter your surname

Email Please enter your email address

Telephone Please enter your telephone number

Your question Please enter a question

How did you hear about us?

Please let us know how you heard about us

I consent to receiving the occasional email regarding legal news, seminars and your other services which may be of interest.

Please enter the verification code

What next for GDPR?

Court Sanctions Leg Amputation for Man Lacking Mental Capacity

Promotions 2024