The ICO has released a statement on the implementation of Brexit and the implications on data protection.
On January 31, 2020, the UK officially left the European Union and entered a Brexit Transition Period, which runs through December 2020. Prior to that, on January 29th, the UK’s ICO released a statement on the implications of this Brexit implementation on data protection. The ICO iterates that they will continue to act as the lead supervisory authority for businesses and organizations that operate within the UK.
During this transition, the GDPR will steadily apply, and the ICO suggests that businesses that process customers’ personal data continue to follow their guidelines, and the protocol already in place. The GDPR will cease to apply at the end of this transitional period. However, the UK government intends to incorporate the provisions of the GDPR into UK data protection law beyond December 2020.
That said, businesses and organisations that offer goods or services to people in the EU are still expected to follow the EU’s version of the GDPR beyond the transitional period. However, for now, these companies and organizations will not need to appoint a European representative. GDPR transfer rules will apply to any data coming from the EEA into the UK. As a result, these companies may need help deciding how to transfer personal data to the UK in line with the GDPR.
The ICO has also updated their Brexit FAQs to reflect any recent changes. They will continue to update their external guidance as they regularly monitor the situation.
Does this sound like too much to plan? We have prepared a summary of the ICO guidance below:
During the transition period (until the end of 2020). |
After the transition period. |
|
| Will the GDPR continue to apply in the UK? | Yes | It will depend on negotiations. The default position is the same as for a no-deal Brexit. However, the GDPR will be brought into UK law as the ‘UK GDPR’ |
| Is a EU Representative necessary? | No | Yes, If you are offering goods or services to or monitoring the behavior of individuals in the EEA. |
| What will the UK data protection law be? | Data Protection Act 2018 (DPA 2018). | The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018. |
| What role will the ICO have? | The ICO will remain the independent supervisory body regarding the UK’s data protection legislation. | The ICO will remain the independent supervisory body regarding the UK’s data protection legislation. |
| Can we still transfer data to and from Europe? | Yes | From the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the UK. |
