Brexit Information Rights
24/12/2020
Following the UK’s formal departure from the EU and the end of the transition period on January 1st, the General Data Protection Regulation (GDPR) no longer applies to UK businesses. Introduced in 2018 as an EU regulation, the EU GDPR changed the way data was thought about and the responsibilities of businesses and organisations as data handlers.
A New UK GDPR
To make the departure from the EU easier for UK businesses and organisations, the EU GDPR has been incorporated into UK data protection law, which is now known and the UK GDPR. This means that in practice, little will change for UK data handlers that do not operate in, or transmit data to the EU. As a reminder, the Data Protection Act 2018 (DPA 2018) also remains in place and still needs to be adhered to.
How does Brexit affect data regulation for businesses that still operate in the EU?
For those based in the UK continuing to operate in the EU or who require data to be transmitted to or from EU countries, the situation is more complicated. The EU has agreed a temporary ‘bridge’ till at least April, 2021 (with an extension possible) to continue to allow data to flow between the UK and the EU until decisions have been made with regard to the adequacy of the UK’s replacement regulations and whether they will satisfy EU regulation. Businesses still reliant on dealing with EU countries have therefore been recommended to ensure they take measures to safeguard the flow of data beyond April, pending the result of the so-called ‘adequacy decisions’. In fact, you may need to appoint a European representative to help transfer your data safely and legally between the UK and the EU.
Data Protection After Brexit
The Information Commissioners Office (ICO) will continue to enforce the UK GDPR and other information laws and regulations, however, they will not be enforcing the EU version of GDPR any longer. The ICO have said they hope to maintain a close relationship with the EU authorities now the transition has ended.
It’s worth being aware of other privacy regulations that started life as EU regulations that will also be moved into UK law and will therefore continue to apply to how we handle data:
- The Freedom of Information Act 2000 (FOIA) which allows the public to request certain items of information from public authorities will remain in place.
- The Network and Information System Security Regulations 2018 (NIS) regulates how businesses prevent incidents which could impact on their information services and services.
- The Environmental Information Regulations 2003 (EIR) which is similar to the Freedom of Information Act but regarding information about the environment held by public officials. This is expected to continue to apply unless repealed or amended, which means some changes could potentially be made in the future.
- The Privacy and Electronic Communications Regulations 2003 (PECR) which regulates cookies, electronic communications and marketing online has been written into UK law. The EU is currently looking to implement a new e-Privacy Regulation, but it's unknown if this will be taken on by the UK at a later date.
For more information on data protection and regulation, visit the ICO’s website: https://ico.org.uk