Face-to-face talks on the UK’s future relationship with the European Union may have been delayed for now due to the coronavirus, but the UK government has continued preparations by publishing a series of 17 documents laying down its “explanatory framework” for how it sees data exchanges between the UK and the EU continuing after the transition period, which is due to end on December 31.
With so much trade and business involving a digital element, reaching a deal on data flows is thought to be a priority for both the UK and the European Union. Personal data-enabled exports from the UK to the European block are thought to be valued at £85bn, while similar services coming from the EU to the UK are believed to be worth £42bn.
The government’s approach appears to be centred on the EU granting an adequacy decision, which is the process by which the European Commission determines that a third-country has sufficient data-protection laws that are comparable, if not identical, to the EU’s General Data Protection Regulation (GDPR). The Department for Digital, Culture, Media and Sport describes this as follows:
“Adequacy decisions are the European Commission’s legal mechanism to facilitate the free flow of personal data from the European Union to third countries. They can encompass data flows under the GDPR for general and commercial purposes and data flows under the LED [the Law Enforcement Directive] for law enforcement purposes.”
As a former EU member nation, the UK of course incorporated the GDPR in May 2018, with the Data Protection Act 2018 complimenting and superseding its earlier 1998 version. The documents express that this will automatically pass into UK law according to the European Union (Withdrawal) Act 2018 (EUWA), at which point the GDPR becomes what is known as “retained EU law”.
This does not mean that the GDPR will remain exactly the same, however, because circumstances may require minor changes to be made, as explained in the government’s documents:
“Under the EUWA, Ministers have the power to introduce secondary legislation, via statutory instruments, to prevent or remedy any deficiencies in retained EU law that result from the UK's withdrawal from the EU.”
In essence, the government sees the country’s future data-protection legislation as resting on what it calls “UK GDPR”—which will be a transcription of the EU’s GDPR, perhaps with minor modifications to enable it to function post-Brexit—combined with the Data Protection Act 2018.
As had been widely expected given the perceived success of the GDPR, the UK government appears to have chosen to continue the current data-protection standards. This should help it obtain an adequacy decision from the European Commission and avoid disruption for UK businesses.
If you have concerns that your operations are still not GDPR compliant, we at Pro-Networks can provide IT support and services to help you achieve a level of compliance that will deliver benefits even after the end of the transition period.