Since 2018, the UK has followed the rules of the EU General Protection Data Regulation (GDPR). But as this is a law that implements an EU regulation, what happens when the transition period ends and we are officially out of the EU? How will Brexit affect data protection in the UK? What happens when we leave?

As 31 December looms, now is the time for businesses to get to grips with how data is to be handled in 2021 and beyond.

What is GDPR?

The EU General Protection Data Regulation (GDPR) came into effect in May 2018. This is the law that regulates how data is protected and European Union member states have followed this since its implementation. As well as EU countries, it also applies to businesses and brands that supply services and goods in the EU.

To implement the EU GDPR in the UK, the Data Protection Act (DPA) 2018 was introduced. This is solely used in cases where there is a data protection breach in the UK. It covers the data protection principles that should be followed if we’re responsible for using personal data. According to the GOV.UK website, the Act ‘controls how your personal information is used by organisations, businesses or the government.’ Failing to comply with the regulation risks your business having to pay out data protection breach compensation and facing a legal dispute.

Are we covered during the transition period?

The UK officially left the EU on 31 January 2020. After this date and up to 31 December 2020, we have been in a transition period. This is the time agreed in the UK-EU Withdrawal Agreement for the UK to no longer be part of the EU while also negotiating the details and terms of Brexit.

During this transition, EU laws including the EU GDPR apply in the UK. This means that both the EU GDPR and the UK DPA 2018 continue to be implemented until the transition ends on 31 December. So, what comes after this?

What is UK GDPR?

Once the transition period ends, the EU GDPR will no longer apply in the UK. However, as suppliers of goods to EU member states, we will still need to follow the GDPR rules that other non-EU countries follow. To do this, the DPA 2018will enact the EU GDPR requirements in UK law.

However, the UK government has also introduced the Data Protection, Privacy, and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This is a crucial amendment to the DPA 2018 that merges it with the EU regulations the UK formerly followed to create a data protection system for the UK after Brexit. This system will be known as UK GDPR.

This is effectively the same as the EU regulations, so very little will change for businesses and they should continue to go with the requirements of the EU GDPR. Privacy notices will need to be updated to reflect the change, but restrictions still apply and companies will need to comply in the same way as before.

While there is a lot of change ahead, our data will continue to be protected post-Brexit.