The end of the Brexit transition period on 31 December 2020 means the UK now has full autonomy over its data protection policies. As of 1 January 2021 the UK is recognised as a ‘third country’ under EU General Data Protection Regulation (GDPR) rules. The EU-UK Trade and Cooperation Agreement, which is an agreement in principle between the EU and UK, does not yet include a provision for the vast flow of personal data being transferred between the two jurisdictions. The transfer of personal data will be subject to a separate adequacy decision from the EU due in early 2021. This separate adequacy decision will determine whether the EU will allow the ongoing free flow of data from EU/EEA countries to the UK. If an adequacy decision is not granted, then organizations who transfer personal data from the EU/EEA to the UK will have to take additional steps to ensure data being transferred is provided equivalent protections to those under the EEA. The UK has already determined that it considers all EEA/ EU states to be adequate which means that personal data flows from the UK to the EU/EEA will remain unaffected.
Until the EU completes its adequacy assessment, it has granted a grace period that will delay any EU restrictions on personal data transfers to the UK for the next four months. This bridging mechanism under the agreement can be extended up to 6 months (if no objections are made) but will cease once the EU adequacy decision is enforced. Whilst the bridging mechanism is in place, the UK is able to make changes to its personal data policies and exercise its international powers subject to mutual agreement from the EU. The EU cannot block any changes made by the UK but if the EU objects to them then the bridging period will end.
The EU-UK Trade and Cooperation Agreement also recognizes ‘legacy data’ as overseas personal data processed in the UK before the end of the transition period. Data processed before the 1 January 2021 will therefore remain subject to EU GDPR policies (the ‘frozen GDPR’) whereas data collected after the transition period will need to comply with UK GDPR and the Data Protection Act 2018.
The Information Commissioner’s Office (ICO) has recommended that organizations make arrangements before the end of April to safeguard against the possibility of an adequacy decision not being granted by the EU. These can include the adoption of binding corporate rules; standard contractual clauses; certification and codes of conduct and derogations, all of which are set out in the GDPR.