From the 31 January 2020 the United Kingdom (UK) was no longer a European Union (EU) member. Since exit day the UK has entered the implementation period (transition period), during which the UK must continue to comply with the EU General Data Protection Regulations (GDPR) and is generally treated as an EU state for law purposes. The implementation period is due to end on the 31 December 2020. After which the UK intends to create a separate data protection system, a ‘UK GDPR’.
At the end of the implementation period the EU GDPR will be incorporated into the UK’s domestic law as the UK GDPR. The intention behind the UK GDPR system is for the primary principles, obligations, and rights that data controllers and subjects have become familiar with under the EU GDPR to stay the same.
By establishing the UK GDPR, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will maintain the core EU GDPR standards into UK domestic law. This includes the data protection principles, rights of data subjects and obligations for controllers and processors. Therefore, organisations should continue to implement the EU GDPR compliance standards and follow the Information Commissioner’s Office (ICO) guidance which will be updated to reflect any changes in relation to the UK GDPR system.
Currently, after the implementation period the ICO will stop having any formal relationship with the European Data Protection Board (EDPB) and the UK will then be out of the one stop shop system. An organisation may then need to:
- Adapt to supervision by both the UK’s ICO and lead supervisory authority in the European Economic Area (EEA).
- Where the ICO was previously the supervisory authority – aim to identify a supervisory authority in the EEA in accordance with Article 56 of the EU GDPR and consider building a connection with that authority.
- Where the ICO was not previously the supervisory authority – adapt to additional regulation by the ICO.
The ICO has signified that it intends to continue to co-operate with the European supervisory authorities relating to any breaches of EU GDPR that affect data subjects in the UK or the EU and EEA states.
At the end of the implementation period, the UK will become a ‘third-country’ under the EU GDPR. This means any personal data transferred between the UK and EEA would need to comply with the relevant transfer restrictions under UK and EEA laws, which will depend on whether the transfer originated from the UK or EEA.
Navigating and complying with all the relevant laws for your business can be time consuming and complex, especially considering any changes that may arise due to Brexit. At Lawdit Stay Legal we offer a one stop shop solution for legal compliance, giving you more time to focus on other essential areas of your business. Our packages at different price points offer something for every business. They will keep your business on the right side of the law and put legal safeguards in place, to protect and assist, you, and your business if any dispute were to arise. With a free initial consultation there is no need to delay, so book today!