On January 31, 2020, the UK officially left the EU. We are now in a transition period that will span January 31, 2020, through December 31, 2020. During this time, established privacy regulations like the EU’s GDPR and UK’s DPA will still apply, while trade and the future of these, and other, regulations will be negotiated.
Watch the webinar: Brexit Privacy Implications: What We Know About the UK’s Exit from the EU
Brexit: Transition Period
The EU’s privacy regulations (GDPR) and the UK’s Data Protection Act (DPA) will continue to apply during the 11-month transition period. Throughout the transition, companies must comply with both the GDPR and the UK DPA. Organizations should also keep track of the ongoing negotiations between the UK and the EU regarding privacy regulations.
UK’s Current Plan for Data Protection
The UK’s current plan for data protection is to write the GDPR into UK law as an amended version of the UK DPA. The UK DPA (as amended) will apply to controllers and processors based outside of the UK if their processing activities relate to:
- Offering goods or services to individuals in the UK or
- Monitoring the behavior of individuals taking place in the UK
Post-Brexit Transition Period
For organizations operating in both the UK and the EU, there are a few things to keep in mind:
- The UK DPA (as amended) will allow for the same Data Protection Officers (DPOs) in the UK and European Economic Area if it is “easily accessible”
- Local Representatives are defined as the following:
- In the UK: a controller/processor located outside of the UK must appoint a UK representative
- In the EU: controller/processor located in the UK, and outside of the EU, may need to appoint a local representation in the EU
Organizations established in the UK may have to face multiple DPAs in the event of a cross-border incident.
Brexit and Beyond
If you’re looking to find out more about Brexit and the transition period, watch the webinar Brexit Privacy Implications: What We Know About the UK’s Exit from the EU.