UK-GDPR Updates and the Impact of the Brexit Transition – A quick guide

If you have lived in the UK over the last 6 years you probably know about the General Data Protection Regulations (GDPR), and the massive upheaval it brought to businesses everywhere in 2018.  

GDPR covers any business that deals in the UK or EU with human beings as clients, customers or business contacts. The UK GDPR and UK Data Protection Act (DPA) apply to all businesses.  

An Overview of Post-Brexit GDPR 

When we left the EU the UK ported over the GDPR rules and called it the UK GDPR. At least that was pragmatic and made sure there wasn’t another huge upheaval for business. 

We had already created the Data Protection Act 2018 to tie into the GDPR rules in 2018, and this served to fill in the blanks left by GDPR for each Nation to fill in, and created specific criminal offences in the UK. 

1. No change 

First, nothing has really changed. The same rules apply. We have been given Adequacy status (28 June 2021) in terms of data privacy GDPR rules so data can flow between us and the EU, but this status is subject to a fixed timeline of 4 years and our status may not be renewed and may even be withdrawn in this period if we do not keep close to the EU’s rules here. 

2. International Personal Data Transfers 

If you are using suppliers or systems based outside the UK then you must still look at where they are based, and if outside a few approved jurisdictions (EU/EEA/Canada/ Argentina and a few smaller ones) then you need to check they have an approved legalising document in place (if they are in the USA then that is problematic). They used to be called the EU Model Contracts or Standard Contractual Clauses. We adopted them, and they are still lawful to use for now, but the UK has now approved its own version called International Data Transfer Agreements. If you are UK based only then they should be ok, but if you are multi-national you may want to still use the EU versions. 

3. The Appointment of a Data Protection Officer or EEA Representative 

Some businesses still must appoint a Data Protection Officer, but all must have someone who is responsible for implementing the rules around personal data. A UK business that has subsidiaries or operations in the EU will have to appoint someone there to be their local DPO in effect. 

Website Compliance 

Website owners still need to obtain consent from users to place non-essential cookies on their browsers. Simply put, users can and must be given the option to choose to accept or reject all non-essential cookies. Failing to do that gives each site visitor a claim. Moreover, UK businesses must update their privacy policies according to the UK-GDPR regulations to run alongside their cookie policy.  

New Data Protection Reforms 

The UK government has consulted recently on possible changes to the rules, the results of which are widely awaited, although most of the proposed changes are not going to make much difference to most businesses. 

Conclusion 

Whether you’re a new business or still transitioning into the new regulation flow, you need to keep up with the latest UK-GDPR updates to remain compliant.