Simon Coulthard July 01, 2022
The UK’s decision to end its five-decade long membership of the EU was a landmark event in European history.
Beyond the general political furore that swept across Europe, Brexit had huge implications for companies that do business across the Channel - with the free flow of data a vital component of Anglo-European trade.
However, many marketeers and companies are still confused about the relationship between the UK, GDPR, and data privacy regulations in general.
So, how will Brexit affect GDPR? In the absence of real clarity from the European Union, this article will shed some light on what remains an important issue.
The short answer here is no.
Since GDPR is an EU regulation, it stopped applying to the UK after December 31st, 2020.
However, any UK company that offers goods or services to - or monitors the behavior of - EU residents still has to comply with it.
This is because the GDPR is an “extraterritorial” law that is designed to offer data protection for EU residents regardless of where their personal information is transferred globally.
By leaving the EU in January 2021, the UK became a “third country” - to use GDPR terminology.
Practically, this means that it has to prove that its laws meet European data protection standards in order for the personal data of EU residents to be transferred to the UK without adopting additional safety measures.
Thankfully, it was able to do so, with an “adequacy decision” by the European Commission on June 28th, 2021, allowing for cross-channel data transfers to continue flowing freely to the UK.
The other countries that have been fully awarded this designation are Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, and South Korea - so it’s a fairly exclusive club at present.
What this means is that, by meeting domestic data privacy requirements, UK companies are also complying with GDPR and don’t have to do much differently when they’re receiving personal data from the EU - beyond the points outlined below.
UK companies that do business with EU residents or monitor their behavior will need to take the following steps to fully meet GDPR requirements:
In the future, companies may also need to update their contracts dealing with EU-UK data transfers, though the UK’s “adequacy agreement” with the EU means that this is not necessary at the moment.
Enough has been written about GDPR already to not go through these steps in detail, but you’re welcome to visit our GDPR Information Hub if you’re looking for comprehensive information.
At present, no, but it does have its own UK-GDPR.
This can’t be considered a complete replacement for GDPR since it’s a temporary measure that is only expected to last up until June 2025.
What is the Difference Between UK-GDPR and EU-GDPR?
UK policymakers effectively fused the country’s Data Protection Act 2018 with GDPR, creating what is known as the UK-GDPR. This came into force the moment that the UK left the EU in January 2021.
The law applies to:
The UK-GDPR is nearly identical to the EU law - unsurprisingly given that the UK had a lead role in creating the European legislation.
However, there are a small number of important differences between the two:
Beyond the UK-GDPR and EU-GDPR, there are other components of the UK’s data protection framework that companies need to respect:
This does look increasingly likely.
In September 2021, the UK government published a consultation outlining potential revisions to the country’s data protection framework.
In effect, this would weaken data protection laws so that the UK can enter into agreements with non-EU countries like Australia, South Korea and the US.
This is part of the country’s broader strategy to focus more trade away from Europe after Brexit - something with obvious implications on data transfers across the Channel.
One potential consequence of this is that the European Council could rescind its “adequacy agreement” for data transfers.
If this were to happen, UK companies would have to sign Standard Contractual Clauses (SCCs) - arrangements that ensure they will handle data in accordance with GDPR requirements.
However, nothing has been formalized yet - so, that’s a blog for another day.
Given that the UK’s Brexit Referendum took place two years before GDPR came into force, the European Union certainly had enough time to incorporate this event into its official guidance.
That they didn’t is unsurprising given the ambiguity of the law as a whole - something that has given marketers around the world many a sleepless night.
However, new laws often have teething problems, and lawmakers today have a far better understanding of the practicalities of data privacy laws.
But if you’re looking for more information about GDPR compliance, we have created a useful and free Checklist that runs through all the steps a company needs to take to meet Europe’s data privacy requirements.
Gain World-Class Insights & Offer Innovative Privacy & Security
Keep pace with the world of privacy-first analytics with a monthly round-up of news, advices and updates!