Overview of what changes could be needed to data protection legislation post Brexit.
Whilst the UK is due to leave the EU at the end of January, the country will actually enter a transition period where current rules will still apply until the end of the transition period which finishes in December 2020.
This period may be extended if no trade deal has been finalised at this point.
This means that though we might formally leave the EU, there is no requirement for many of these changes until the transition period is finished – and there future requirement will be dependent on what sort of UK-EU trade deal is negotiated.
If no agreement is in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and legislation would incorporate the GDPR into UK law to sit alongside it.
However, the legal framework governing the transfer of personal data from the EU to the UK will change.
In the event of no agreement the EU will consider the UK as a ‘third country’ and personal data transfers from the EU to the UK will be ‘restricted’ pursuant to Chapter V of the GDPR. This means specific standards will need to be adopted to support the lawful transfer of personal data to the UK.
A 6 step checklist and further guidance has been developed by the Information Commissioner's Office (ICO) outlining the steps your business or organisation should take to prepare for the UK's exit from the EU in a no deal scenario.