“If you operate inside the UK, you will need to comply with UK data protection law.”
This week the Information Commissioner’s Office (ICO), the UK’s data protection authority, is warning businesses that during the Brexit transition period its ‘business as usual’.
While negotiations about the nature of the future relationship between the UK and the EU are being hammered out, the ICO is warning that at the end of the transition period: “The default position is the same as for a no-deal Brexit: the GDPR will be brought into UK law as the ‘UK GDPR’.
There is still uncertainty around the structure of data regulation in the UK following the end of the transition period which occurs in December of 2020. However the ICO is clearly warning business that as far as it’s concerned anyone who is processing personal data should follow their current data protection obligations as they are laid out in the GDPR.
The ICO has stated that: “The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.”
Brexit Transition Period
The ICO will remain an independent supervisory body with regards to UK data protection legislation. It notes that if a company is transferring personal data from the UK to an EU entity then they can proceed as normal, as the UK government has stated that they will put no restriction on data flow. However, if the company is receiving data from a firm based in the EU they will need to take extra steps to ensure they are compliant.
One step the ICO notes companies no longer need to take is the appointment of a European Economic Area (EEA) representative during the transition period. Stating that: “During the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.”
The ICO has previously advised that one of the best approaches when dealing with EU bodies from the UK is to establish standard contractual clauses (SCCs). The SCCs should outline the data protection responsibilities of a company with regards to GDPR legislation in the EU. The SCC would essentially establish contractual terms and conditions that ensure both companies process data in a legal manner.