Even after Brexit, it can be assumed that companies in the United Kingdom continue to easily do business with partners in the European Economic Area (EEA) and have personal data flow there.
The UK GDPR has been in force in the United Kingdom (UK) since the beginning of January. In addition, two legal provisions that the UK had already created before Brexit remain in force: the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR 2003). DPA sits alongside and supplements the UK GDPR. It contains separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defense, and sets out the Information Commissioner’s functions and powers. By contrast, PECR govern specific rights in electronic communications.
Transfers from the UK to the EEA
With UK GDPR as the British variant of the European GDPR, companies currently do not have any new regulations for data flows from the UK to the EEA. This is because, on a transitional basis, the UK has declared the states of the EEA, which also includes Norway, Iceland and Liechtenstein, to be on an equal footing for data flows from the UK. If your company is based in the UK and stores or processes personal data in the EEA, it can continue to do so without any problems.
EU adequacy decision becomes more likely
And how does the EU deal with data protection in the UK? The trade and cooperation agreement that the EU and UK concluded at the end of 2020 provides for a transition period, called the bridge, until June 30, 2021. By then, the EU should, if possible, recognize the UK GDPR and the protection of personal data in the UK as equivalent to the EU GDPR.
The first step has been taken: on February 19, 2021, the EU Commission launched the procedure for adopting two adequacy decisions for personal data transfers to the UK, one for the General Data Protection Regulation and another for the Law Enforcement Directive. Publishing the draft decisions marks the beginning of the process for possible adoption. For this, the European Data Protection Board (EDPB) and an EU committee of member state representatives must give the green light.
The Commission could then adopt the two adequacy decisions, which would initially be valid for a period of four years. If the level of protection in the UK still stands up to scrutiny, the validity could be extended for a subsequent period.
Companies can find more information on the website of the UK data protection authority, the Information Commissioner's Office.
DocuWare: reliable and sustainable partner for UK companies
It therefore looks as if nothing will change for companies in the UK in terms of data protection and that the trusting cooperation with companies in the EU will also be secured for the future. Wherever you do business, DocuWare is your trusted partner for document management and workflow automation - whether it's data protection or other compliance areas.
Learn more about compliance with DocuWare.