The Brexit transition period ended on 31st December 2020 and this raises the question whether the General Data Protection Regulations (GDPR), which is a European Regulation, still applies in England and Wales?
Whilst GDPR is a piece of EU legislation, following the transition period it has since been incorporated into UK law and is now known as the UK GDPR. The UK GDPR sits alongside the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PERC) forming the personal data protection legislation in the UK.
Whilst the UK GDPR applies to controllers and processors based in the UK, it can also apply to those based outside of the UK if their processing relates to the offering of goods or services to individuals in the UK or monitoring the behaviour of individuals taking place in the UK.
In essence, the UK GDPR is on substantially the same terms as the EU GDPR and therefore the main principles, obligations and rights remain in place and are ultimately unaffected. The only significant change that businesses need to be aware of are the new rules that must be followed in respect of transferring personal data from the UK to other countries. Such transfers are now classed as restricted and are subject to transfer rules.
Who is affected by the new rules relating to international data transfers?
If you are a UK business or organisation subject to the UK GDPR and you transfer personal data to or from other countries (including European countries) you will need to familiarise yourself with the changes.
If you do not transfer or receive personal data from outside of the UK you do not need to concern yourself with the new rules surrounding international data transfers.
What are the new rules relating to international data transfers?
Essentially, you can transfer data internationally if you are permitted to do so by the adequacy regulations, an appropriate safeguard or an exception.
The adequacy regulations essentially assess whether a country provides adequate protection for individual’s personal data. You are permitted to transfer data to or from any of the countries as identified within the adequacy regulations.
If the country with which you are intending to transfer data to or from is not listed within the adequacy regulations, you need to consider whether there is an appropriate safeguard or an exception upon which you can rely.
It is important to note that the UK has the independence to keep the framework under review and it is therefore likely that the countries listed within the adequacy regulations may be subject to change in the future. It is therefore important that you keep yourself up to date with the rules and regulations to ensure that you remain compliant.
How can Nelsons help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
Should you have any queries regarding your obligations under the UK GDPR and/or international data transfers, please contact Ruby or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online enquiry form.