This note explains key changes that will be made to UK data protection legislation at the end of the UK-EU transition period (transition period), in particular by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (DP Brexit Regulations).
WHY IT IS RELEVANT
Complying with the impending changes to GDPR compliance for companies based in the UK and internationally will be critical to ensure operational compliance and risk mitigation in a period of significant change. This short note highlights to companies and management teams that they should check the suitability of existing compliance policies and procedures and implement any changes that are required to ensure ongoing compliance and commercial validity.
WHAT HAPPENS TO UK DATA PROTECTION LAW AFTER THE BREXIT TRANSITION PERIOD?
Once the transition period comes to an end, new and amended data protection legislation will be in force.
In the UK, the Data Protection Act 2018 (DPA) was introduced at the same time as GDPR, to ensure that the UK and EU were aligned post-Brexit and in addition to:
- Supplement GDPR requirements and standards.
- Set out UK-specific exemptions.
- Cover areas not dealt with by GDPR (for example, processing of personal data by law enforcement authorities and intelligence services).
Recent legislative introductions under the DP Brexit Regulations have amended the UK-applicable version of GDPR and the DPA to create a single UK data protection regime that will apply once the transition period ends.
It, in effect, creates a “UK GDPR” of retained EU law which mirrors that which applies at the end of the transition period but which is not required to automatically incorporate any changes to the “EU GDPR” regime going forward (any such changes would need to be pro-actively incorporated by the UK government). This creates a situation where companies and management teams need to be aware of, in certain scenarios, the differences which will arise between the UK GDPR and EU GDPR regimes.
For any data processed or obtained before the end of the transition period, as per Article 71 of the Withdrawal Agreement, the UK is required to continue applying “Union law on the protection of personal data” to the processing of personal data of data subjects outside the UK where:
- The personal data was processed in the UK before the end of the transition period under EU law.
- The personal data is processed in the UK after the end of the transition period on the basis of the withdrawal agreement.
This obligation shall remain until the UK’s processing of relevant personal data is covered by a European Commission adequacy decision under the EU GDPR or the Law Enforcement Directive (EU) 2016/680).
The UK GDPR applies to the automated or structured processing of personal data, including:
- Processing in the course of an activity which, immediately before the end of the transition period, fell outside the scope of EU law.
- Processing in the course of an activity which, immediately before the end of the transition period, fell within the scope of Chapter 2 of Title 5 of the Treaty on European Union (common foreign and security policy activities).
- Manual unstructured processing of personal data held by an FOI public authority. (Article 2, UK GDPR).
The UK GDPR does not apply to:
- The processing of personal data by an individual in the course of a purely personal or household activity (see Practice note, GDPR and DPA 2018: derogations and exemptions: Personal or household activities).
- The processing of personal data by a competent authority for any of the law enforcement purposes (see Practice note, Data Protection Act 2018: overview: Part 3: Law enforcement processing).
- The processing of personal data for intelligence services processing (see Practice note, Data Protection Act 2018: overview: Part 4: National security processing).
Therefore, the key principles and procedures which many companies and management teams have already implemented within their organisations will continue to be relevant and organisation who have been committed to historical good practice regarding GDPR will be in a good position to make the necessary amendments post-transition.
The role of the Information Commissioner’s Office regarding any cross-border processing will not be as a lead supervisory authority after the transition period. It will continue to work with and collaborate with other EU supervisory authorities however there is a likelihood that an organisation could face both EU and UK fines/action for the same breach.
UK organisations with a strong existing infrastructure may not require significant amendments to be made, such as changing any and all references to “GDPR” to “UK GDPR” which can be implemented at the end of the transition period or as soon as possible thereafter. For those with less substantial infrastructure, it is advisable to make all necessary changes and upgrades without delay and to seek legal advice.
GET IN TOUCH
Should you have any questions about the topics covered in this Client Briefing, please get in touch with your usual Rooney Nimmo contact or any of the persons below.
John Nimmo, Founding Partner
+44 (0)7811 458 506
Edward Sloan, Founding Partner
+44 (0)7715 380 367
Dawn Robertson, Partner
+44 (0)7779 939 66
Grant Docherty, Partner
+44 (0)7877 283 645
Neil Anderson, Partner
+44 (0)7851 259 052