Data Protection & GDPR after Brexit Transition Period

On the 31st December 2020, after 47 years of membership, the UK officially left the European Union. And with this, the Brexit transition period had finally come to a close. At the beginning, there were many questions and worries still left out in the open regarding GDPR and the Data Protection Act. Our helpful Data Protection and GDPR after Brexit Transition Period summary could help you prepare.

However, with many discussions between the UK and EU finally winding down, it appears that UK businesses have received clarity regarding what actions need to be taken regarding data protection and data flows with the EU/EEA.


The General Data Protection Regulation (or GDPR for short) is Europe’s framework for data protection laws, which came into effect in the UK back in May 2018. Many of the GDPR concepts and principles are very much the same to the current Data Protection Act (PDA) in place in the UK.

Following the exit from the EU, the UK regained full autonomy over its data protection rules and with this, the UK GDPR Act has become the main piece of legislation. This is additional to the 2018 Data Protection Act and the Privacy and Electronic Communications Regulations (PECR). The UK GDPR Act is essentially the same as the EU version, but the terminology has been slightly amended to work with UK law.

What are the rules for data protection now?

From the 1st January 2021, the EU-UK Trade and Cooperation Agreement bridging mechanism for personal data will operate on the basis of UK law, with some restrictions on the use of international data transfer powers.

Since the agreement, the UK Government have announced that an extended period of time has been established for personal data to flow freely between the EU (and the EEA) to the UK, allowing for time to complete adequacy processes.

This period of time will be for no more than six months, in which during this time, businesses and public bodies across all sectors can freely receive data from the EU/EEA, including law enforcement agencies.

However, this period of time can be extended by another 2 months if the EU does not deem the UK as having adequate data protection laws. During this period of time, the United Kingdom will be viewed as part of the European Union (when it comes to data protection), hence the reason as to why data can travel freely between the UK and EU/EEA.

How does this impact my business?

Even though there is no rush for immediate changes required to your business, it does not mean that you should wait until the end of the 6-8 month period. You are your business should be as prepared as possible, as soon as possible, so that when the period ends you can transition smoothly with the new rules, regulations and procedures being adopted.

The UK Government and the Information Commissioner’s Office (ICO) have outlined some actions which can help you and your business to best prepare. These include, but are not limited to:

  • If your business offers goods and services to the UK or monitors UK individuals, without a UK branch, office or other establishments, consider appointing a UK representative. These principles apply to UK businesses when deciding to appoint a European representative
  • Remain updated with the progress of the events within the interim period. These can be accessed through both the ICO and Government websites
  • If your business receives personal data from the EEA, then adopting alternative safeguards before the 31st April 2021 will be necessary.

The Future of UK Data Protection

Even though the rules and regulations surrounding data protection in the UK has not changed drastically, especially to a point where businesses need to excessively worry, it is not to say that we are never to worry.

At the end of the interim period, there is a chance that the current laws in place could change and impact the data protection laws for UK businesses. Therefore, the ICO and UK Government have advised that business owners should consider how the laws may change, and best prepare themselves for a smooth transition.

It is very likely that come to the end of the 6-8 month period, the UK will have been granted adequacy by the EU, but it is not a given… Even though the UK data protection laws are aligned with the current EU regulations, your business should keep up-to-date with the progress and look out new updates surrounding the agreement.