With the UK having left the EU last week (on Friday), I thought it would be useful to just recap what that means for GDPR compliance in 2020 and into the future.
The short answer is that nothing changes in 2020, but there could be changes from next year once the transition period has ended. So, right now, even though we’re now out of the EU, EU GDPR still applies as it has since it came into force in 2018; the UK’s Data Protection Act 2018 and Privacy and Electronic Communication Regulations (PECR) remain unchanged as well.
As you’ll know, we’re now in a transition period till the end of this year. During this period, in theory all the tricky legal, trade, etc. agreements will be sorted out, so it’s possible that we will see proposals for GDPR post-transition. We’re likely to have UK GDPR, which is the same as the current EU GDPR but implemented in UK law, so again, post-transition as far as general GDPR compliance is concerned, little is likely to change, so don’t go thinking that from next year you won’t need to worry about data protection anymore.
From 2021 though, what happens will depend on what is sorted out during the transition period – if that is nothing, worst case scenario is that it will be like a no-deal Brexit:
- UK to EU data flows will be allowed to continue as they do pre-Brexit
- The UK is likely to have a UK GDPR which is basically the same as GDPR, so the GDPR compliance requirements are likely to continue as-is
- Little is likely to change if you operate in the UK only and don’t process and EU citizen data – you’ll still be answerable to the GDPR and the ICO in terms of enforcement
- If you process EU citizen data sent from the EU, then the EEA organisation will not be able to pass the data to you unless you have the EU’s standard contract clauses in place
- If you sell products or services into the EU from the UK, the EU GDPR will apply to you because GDPR has extra-territorial reach, plus you may need to appoint an EU representative (someone who represents you across the EU (but operates in one of the member states where you have customers) for GDPR matters)
- PECR will continue to apply as it does today
There is a possibility that some of this will be sorted out during the transition period and won’t apply from 2021. So, you’ll need to keep an eye out for updates.
In terms of preparations for your own compliance, you don’t need to change anything right now. There may be a point in 2020 when you may need to put things in place in preparation for the end of the transition period. What those things are may depend on the status of GDPR post-Brexit. I’d suggest holding fire for now until we know a little more about what might happen. You may want to consider coming up with a plan of action so you can pinpoint the latest time you need to start making plans for a “no-deal” GDPR transition.
As always, if you have any worries about how this might affect you, or if you’re being put under pressure by non-UK clients wanting you to sign agreements ahead of time, then my GDPR helpline services can help you.
Regardless of what happens, here’s to a great 2020!