Beyond Brexit transition – the impact on data protection

By Eduardo Ustaran and Nicola Fulford
30 November 2020

What's the issue?

The UK Data Protection Act 2018, which introduced the GDPR framework, will remain in place, so at one level the day-to-day data protection obligations will hardly change. However, as the transition period comes to an end on 31 December 2020 and the realities of Brexit kick in, it is unlikely to be business as usual. The greatest challenge of all will be if, in the absence of an adequacy determination by the European Commission, the UK officially becomes an unsafe jurisdiction for EU personal data and as a result, data transfers from the EU are subject to legal restrictions.

Where are we now?

The UK government is awaiting the European Commission’s adequacy decision.

What impact does this have?

Not being regarded as adequate from a data protection perspective means that any UK businesses receiving personal data from the EU will need to undertake a ‘transfers impact assessment’ and on the basis of this assessment put in place contractual or other types of measures aimed at providing a level of protection deemed acceptable by the EU.

Aside from data transfers from the EU, the Information Commissioner’s Office (ICO) will no longer be part of the European Data Protection Board (EDPB).  So whilst the ICO will be free from the interpretative restrictions of the EDPB, at the same time, it will be unable to effectively influence the thinking of its European counterparts or to participate in the One Stop Shop system of regulatory supervision.  This will expose any global business that has its main European operations in the UK to the scrutiny of the data protection authorities of all EU Member States.