When the UK voted to leave the EU, most of the population probably did not give a thought to how that would affect the handling of personal data by companies. However, given that data protection had previously been guided by the EU's GDPR framework, where are we now post-Brexit? What do UK lawyers who handle personal data need to know?
2021 data protection
Currently, the UK has retained the GDPR as the law that companies should follow when handling personal data. However, it is to be used alongside the Data Protection Act 2018 to ensure that the highest data protection standards are upheld in the UK. This legislation broadly follows the GDPR and its principles.
There are a number of other key points to highlight when it comes to data protection and the EU-UK Trade and Cooperation Agreement now that the transition period has come to an end.
For EU companies who do business with the UK, we are now seen as a third country to all EU members. So, in practice, this means that a decision is required from the European Commission as to the UK's adequacy under the EU's GDPR and Law Enforcement Directive. Currently, while the European Commission has published its draft decision that it has found the UK to be adequate, it still awaits approval from the European Data Protection board.
If it concludes that the UK is, indeed adequate, it means that transfers from the EU to the UK do not need any safeguards or authorisation in addition to what the GDPR requires already. If it concludes that the UK is not adequate, companies will be required to put alternative safeguards in place to continue data transfers to the UK.
In comparison, the UK government has already stated that all EU states are deemed adequate when it comes to data protection and data flows from the UK. Additionally, now the UK has left the EU, the Information Commissioner is still the UK's supervisory body on data protection. However, any international data transfers will still be highly subject to remaining true to the GDPR.
GDPR and data protection in 2021- outlook
The Government has put in place this legislation in the hope that data flows will continue without interruption, which can affect business productivity and effectiveness. It remains to be seen whether this is the case. Data protection in 2021 in the UK has so far not changed, even though the transition period has ended.
However, should the adequacy decision find the UK to be inadequate as a data transfer partner, companies should prepare extra safeguards in addition to the GDPR and UK's Data Protection Act. Given that dealing with personal data in a legal and proper manner is partly there to ensure that data remains useful, it is key that any imminent changes to the law are employed so that continues to be the case.