Impact of the withdrawal agreement on data protection

As part of the European Union (Withdrawal Agreement) Act 2020 the UK and EU have agreed to keep the existing situation on the flow of data between our countries unchanged for a limited period. It means there will be no data transfer restrictions for at least four months, which can be extended to six months (known as the bridge). In the meantime, the UK government has requested a decision from the EU on the UK’s data protection adequacy, as that will determine the position at the end of the four-month period, or the extended six-month period.

What does an adequacy decision mean?

The UK now falls outside of the GDPR zone and became a third country from an EU perspective from 1 January 2021. The European Commission must decide if a third country has an adequate level of data protection for data transfers. If it concludes that the UK’s protection is adequate, then personal data can be sent from a country in the EEA to the UK without any further safeguards. The UK has already confirmed that it will allow data transfers to the EU from 1 January 2021. If the EU decides that the UK does not have adequate data protection organisations, organisations in the UK will need to rely on appropriate safeguards or exceptions.

What does appropriate safeguards mean?

There is a list of appropriate safeguards which organisations can implement, and for most businesses the easiest option is the use of standard contractual clauses. Examples of these are available on the Information Commissioner’s website.

Data protection rules in the UK

The UK GDPR replaced the existing EU GDPR in the UK from 1 January 2021. The UK GDPR alongside the amended Data Protection Act and the Privacy and Electronic Communications Regulations (PECR) make up the key personal data legislation in the UK. It also means the main principles, obligations and rights remain in place.

UK organisations offering goods and services to individuals based in Europe, or those monitoring the behaviour of individuals in Europe, will be subject to both the EU and UK versions of the GDPR.

Key considerations for your business

·         Check your personal data flows

·         If you don’t have a data flow outside the UK, and no contacts or customers in the EU, then there’s not much you need to do apart from complying with the UK data protection laws

·         If you do have a flow of data with the EU, map it out to understand if you are transferring personal data out of the UK or into the UK from the EEA, or both

·         If relevant, prioritise the type and volume of data being transferred e.g. sensitive personal data, large volumes and data on criminal convictions

·         If relevant, use the ICO interactive guidance tool to help you

·         If your organisation operates in the EEA you may need to appoint a representative

·         If you have offices, branches or establishments in the EEA you may need to check which European data protection regulator will be your lead supervisory authority from a data protection point of view

·         Ideally, if you receive personal data from the EU, you should put alternative safeguards in place before the end of April, if you haven’t done so already

·         Regularly check for updates on the adequacy decision

Detailed guidance and up to date information on the adequacy decision developments can be found on the Information Commissioner’s website: