GDPR and Brexit
What happens now the UK has a withdrawal agreement?
Now that the UK has a Withdrawal Agreement with the EU, there will be a transition period until the end of 2020 to allow time to negotiate a new relationship with the EU. During the transition period the GDPR will continue to apply in the UK and you won’t need to take any immediate action. You should continue to follow existing guidance on the GDPR.
Will the GDPR still apply when we leave the EU
The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK Data Protection Law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.
1. The EU version of the GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.
2. The GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the GDPR.
What will the UK Data Protection Law be?
The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply. The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018. New DP exit regulations have been passed which will make technical amendments to the GDPR so that it works in a UK-only context from the end of the transition period.
What happens at the end of the transition period?
That depends on negotiations during the transition period.
The default position is the same as for a no-deal Brexit: the GDPR will be brought into UK law as the ‘UK GDPR’, but there may be time for further developments about how we deal with particular issues such as UK-EU transfers.
Do we need a European representative during the transition period?
No, during the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.
What role will the ICO have?
The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
During the transition period the ICO will engage in the co-operation and consistency mechanism under GDPR and continue to be a lead supervisory authority.
The UK government will continue to work towards maintaining close working relationships between the ICO and the EU supervisory authorities once the UK has left the EU.
Word from the ICO – Will our GDPR guidance still be relevant?
Yes. We expect UK data protection law to be aligned with the GDPR, so you should continue to use our existing guidance. Following the approach in our guidance will help you comply now and after the end of the transitional period.