For better or for worse: 2020 is shortly coming to an end. This means that the end of the Brexit transition period is also just around the corner.
On December 31, 2020, the post-Brexit transitional arrangements between the EU and the UK will expire. However, the EU GDPR will be retained in UK domestic law (with only minimal amendment) in the so-called “UK GDPR.”
Despite the similarities between the UK GDPR and the EU GDPR fact, many organizations will still have to consider a few key areas when it comes to compliance with these two pieces of law.
Key areas that will need to be considered from January 1, 2021 onwards from a Brexit-related data protection perspective are:
- Addressing new restricted transfersTransfers to the UK from the EEA (and vice versa) will become so-called “restricted transfers,” which will require a transfer mechanism (e.g., reliance on a relevant adequacy decision, execution of appropriate Standard Contractual Clauses, etc.).
- New representativesMany organizations will need to consider whether they are obliged to appoint UK representatives under the UK GDPR.In some cases, this requirement may well be in addition to the obligation to appoint an EU representative under the EU GDPR. For example, this will be relevant for UK organizations who target goods or services at, or monitoring the behaviors of, data subjects in the EU, but who have no presence in the EU.
- Loss of one-stop-shop protectionsThe UK ICO can no longer be a lead supervisory authority.This means that organizations who had identified the UK ICO as their lead supervisory authority will lose the benefits/protections of the EU GDPR’s one-stop-shop regime (unless they effect a material restructuring of their data processing operations – i.e., moving their main establishment to an EU member state).
- Updates to documentationOrganizations will have to make several updates to data protection‑related documentation (most notably privacy notices, data processing addenda and similar contractual arrangements, and internal policies and records).For example, changes will be required to address:
- That the UK is no longer a member state of the EU and no longer party to the post-Brexit transitional arrangements
- That the EU GDPR no longer has direct effect in the UK and has been replaced by the UK GDPR
- That transfers to the UK from the EEA (and vice versa) constitute restricted transfers that require a suitable legal basis (e.g., execution of appropriate Standard Contractual Clauses)