1. Skip to Content
  2. Skip to Navigation
COVID 19 -
Toggle Menu


More news

Data protection in the post-Brexit era – what has changed?

27 Jan 2021

The end of the transition period – what has changed?
The UK left the European Union on 31st January 2020 and entered a transition period, which ended on 31st December 2020. What does this mean for data protection and your business?

In short, the data protection principles set out in the EU General Data Protection Regulation (“EU GDPR”) and the Data Protection Act 2018 (“DPA”) will remain in place, with fundamental rights and obligations, such as accountability and transparency, continuing to apply. The EU GDPR is retained in domestic law and the “UK GDPR” sits alongside an amended version of the DPA.

The transfer of personal data by UK businesses to the European Economic Area (“EEA”) will remain largely unchanged and can continue without any additional protections being put in place. What may change is the basis on which UK businesses receive personal data from the EEA.

The UK and the EU agreed a four month “grace-period” from 1st January 2021, at the end of which the UK could be regarded as a “third country” under the EU GDPR. At the time of writing, the UK Government is seeking an adequacy decision from the European Commission, allowing the flow of personal data from the EEA to the UK to continue without any additional safeguards being required. In the absence of such adequacy decision, transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions.

This is a fast-moving area and the Information Commissioner’s Office (“ICO”) has confirmed it will keep its guidance under review and update it as the situation evolves.

What does this mean for my business?
If you are a UK-based business or organisation, and you transfer personal data to or from other countries (including European countries), you should consider the following steps:

  • Understand and record your international flows of personal data, focusing mainly on transfers from the EEA to the UK. Note the definition of “personal data” captures all information that relates to an identified or identifiable individual.
  • Whilst you should consider all transfers, you may look to prioritise transfers of large volumes of data, transfers of special category data, and your business-critical transfers.
Brexit LinkedIn
  • Establish how you can continue to receive such transfers of personal data lawfully, now the transition period has ended. In the absence of an adequacy decision (which is being sought by the UK Government), the simplest way to provide an appropriate safeguard for a restricted transfer from the EEA to the UK is to enter into “standard contractual clauses” with the sender of the personal data.
  • Review your existing data protection documents (privacy notices, records of processing activities etc.) and make the necessary amendments to reflect that transfers of personal data to and from the EEA are now international transfers.

What are Standard Contractual Clauses (SCCs)?
SCCs are pre-approved contractual clauses that can be used as an appropriate safeguard to comply with the restricted transfer rules under data protection legislation. In practice, they are a series of standard clauses forming a contract between the data exporter and the data importer for the purposes of transferring personal information. The data exporter gives the importer certain warranties and undertakings regarding the collection, processing and transferring of the data. In turn, the data importer offers assurances on having appropriate technical and organisational measures in place to protect the personal data.

What next?
Although the UK Government are hopeful of securing an adequacy decision from the European Commission, it is vital that you understand and rationalise your international data flows. You should open up a dialogue with entities in Europe from whom you receive personal data and prepare for the possibility of SCCs being required in the absence of an adequacy decision.

How we can help
Our team of data protection experts have a detailed understanding of this ever-evolving area of law so can ensure your business is compliant. To discuss the data protection challenges facing your business, please contact Ben Jackson at ben.jackson@hay-kilner.co.uk or on 0191 232 8345.