Managing personal data laws after 31 December 2020

UK organisations without any suppliers, customers or contacts operating in the EU will only see minimal changes, as the UK moves from GDPR to an equivalent UK GDPR, although privacy notices will need to be reviewed and, where necessary, updated to reflect the change in law.

The biggest changes will be felt by UK organisations who have operations in Europe, whether customers, suppliers or other local businesses. These organisations will need to review their current contracts and operations to ensure that they continue to comply with both EU and UK GDPR rules.  Transfers of personal data from the EEA to the UK will be “restricted transfers” under the GDPR, and will be subject to additional protective measures.

Whilst the UK Government remains confident that an adequacy decision will be approved as part of the continuing trade negotiations, a recent decision in the European Court of Justice calling into doubt the consistency of the UK’s surveillance regime with the data protection principles set out in the GDPR makes this less certain. If the UK is not given an “adequacy” decision, organisations will need to be prepared to put in place alternative international data transfer mechanisms.

Both the UK GDPR and the GDPR require controllers and processors to be accountable for compliance, which requires an appropriate record of the decisions taken about what steps need to be taken and how your organisation is complying.

• Are you sending personal data to or receiving personal data from an EU country?
• Do you offer goods or services to individuals in the EU, which requires a local representative?
• If you are not a UK-based organisation but have UK-based customers, do you have a representative?