Now that 31 January 2020 has passed and the UK has officially left the European Union, we have entered a transition period to allow time to negotiate a new trading relationship with the EU. The end date for the transition period is currently set at 31 December 2020, although it is possible that the transition period could be extended for up to two years (provided this is settled before 1 July 2020).

The ICO has clarified that with regards to Data Protection, during the transition period the General Data Protection Regulation (GDPR) will continue to apply in the UK and organisations won’t need to take any immediate action. But the clock is ticking when it comes to the time needed to negotiate all the new arrangements and if the recent news reports are to believed the gulf between the EU and the UK’s objectives is becoming more apparent, meaning that some version of ‘no deal’ could definitely still happen, although it will be a different kind of ‘no deal’ than before, which related to the UK leaving the EU without a withdrawal agreement in place. From 31 January onwards ‘no deal’ refers to the UK and the EU not agreeing a future trading relationship before the end of transition period.

What does ‘no deal’ now mean for data protection?

The Data Privacy implications for organisations in the UK leaving at the end of 2020 without a commercial deal in place are however, broadly the same as they were before i.e.:

1.      Generally speaking, GDPR is an EU regulation but it will be brought in UK law as ‘UK GDPR’ alongside the Data Protection Act 2018, at the end of the transition period. Organisations will need to continue to comply with UK data protection law before and after the transition period, so there will be little change to the core data protection rights and obligations within the UK;
2.      If your organisation only processes the personal data of UK data subjects within the UK and you do not make any transfers out of the UK, then you will not be affected if no trade deal is agreed;
3.      With regards to transfers from the UK to the EU, the UK government has recognised the ‘adequacy’ of the EU, so data from the UK can continue to flow;
4.      With regards to data transfers from the EU, the UK will be a ‘third country’ for these purposes. Therefore transfers of personal data from the EU into the UK will be restricted and in the absence of an agreed ‘adequacy decision’ by the EU at the end of the transition period, additional measures will need to be taken so that data can continue to flow compliantly.

What can organisations do now to plan for the end of the transition period?

1.       Ensure you have an up to date Record of Processing Activities and that your status as a data controller and your relationships with any data processors is understood and mapped;
2.      Map your dataflow to understand whether your business is reliant on the transfer of personal data in/out of the EU. You should pay particular attention to large volumes of data and ‘special category’ data. If you are reliant on these kinds of transfers we would recommend you take steps to understand your potential options to ensure that you can maintain the free flow of data into the UK from the EU;
3.      Review your contracts (perhaps starting with your standard terms) to understand what steps are currently imposed on you with regards to international transfers. Identify if there are any contractual requirements that pose unnecessary measures or steps on your organisation with regards to international data transfers (remembering that the UK will be ‘outside the EEA’ after the transition period) or if any minor changes can be made, and consider updating your existing contracts by issuing a contractual variation to relevant counter parties;
4.      If you are a UK business or organisation with an office, branch or other established presence in the EU, or if you have customers in the EU, you will need to comply with both UK and EU data protection regulations after Brexit. You may need to designate a representative in the EU. However, If you only transfer personal data outside the UK to consumers or only receive personal data from outside the UK directly from consumers, then you will not be affected.