Rick Goud explores the data privacy issues that are likely to arise post-Brexit.
Recently we witnessed what could go wrong with regional data agreements when the EU’s highest court, the Court of Justice of the European Union, invalidated the EU-US Privacy Shield, deeming that it does not sufficiently protect EU data subjects.
Why is this relevant for UK data protection? Because this incident could potentially impact future data adequacy decisions countries – including the UK – seek with the EU.
GDPR post-Brexit transition
For the remainder of the Brexit transition period, taking us to 31 December 2020, UK organisations must continue to comply with the EU’s General Data Protection Regulation (GDPR), and should plan to do so indefinitely if they collect data on European contacts such as customers.
From 1 January 2021, however, the current GDPR will no longer be binding in the UK and new data protection legislation will be introduced. This transition can be done smoothly if the regulations are functionally similar. British lawmakers were, after all, involved in crafting the original GDPR, so any deviations should, ideally, be minor. And with organisations having enough on their plates nowadays, dealing with the challenges and uncertainty caused by Covid-19, lawmakers can help by limiting any changes to GDPR regulations in the UK to those that are strictly necessary.