Cast your mind back to the balmy, pre-pandemic world of 2018 when we were free to roam in public with whomever we pleased, when the sound of coughing was nothing more than a mild irritation, and when the only worry on people’s mind was Britain’s exit from the EU. Fast forward to now and Britain’s exit from the EU is still a concern but it’s joined by a whole host of other worries too. How times change!
2018 was also the year that the GDPR was enacted by the EU across all member states. For many, it was a time of panic as they tried to grapple with the new Regulation and make sure that they were compliant before the ICO came a-knocking and handed them a big multi-million pound fine. A lot has changed since those days, not least of all the fact that the UK is no longer even in the EU. So, why should we still care about the GDPR and what will data handling look like going forward?
To put it bluntly, it’ll look fairly similar. Yes, the GDPR is a European Regulation. Yes, the UK has now left the EU. But, as a nation, we still want to keep our data safe – the UK was very heavily involved in the writing of the EU Regulation, after all – and we want to continue sharing data and trading with the EU. And that means that the UK’s data protection laws need to meet the same standards as the EU’s.
In relation to the EU, the UK is now classified as a “third-country” and all transfers of data from the EU to the UK are restricted unless the European Commission grants an Adequacy Decision. An Adequacy Decision states that a particular country’s data security laws meet the standards of the EU GDPR and that it’s safe to transfer data without any additional safeguards. To help make sure this happens, the UK government transferred the GDPR, in its entirety, into UK law. They made a few tweaks to make it UK specific but otherwise, it’s pretty much the same as before.
As of the 1st January 2021, the UK GDPR is the only Regulation which protects UK citizen data (if you handle EU citizen data, you’ll still need to comply with the EU GDPR as before). The EU have still not granted an Adequacy Decision to the UK, however, part of the trade deal which was reached between the UK and EU, allowed for a “grace period” in which data could still be shared between the two regions exactly as before. In four months’ time, the EU will have made a decision on whether or not to grant an Adequacy Decision to the UK or not.
Until this decision is reached, everything will remain exactly the same. If, at the end of this period, the EU grants an Adequacy Decision, nothing changes (mostly). If they don’t grant the Adequacy Decision, then there will be some extra steps in place regarding transfers of data between you and the EU.
One final point. If the Adequacy Decision isn’t granted, the UK Government will need to make a choice. Does it try to bring the UK’s Data Protection laws back in line with the EU’s (therefore making things continue much as they are now)? Or does it accept that we are now a third country, that extra safeguards need to be in place to share data with the EU, and take UK Data Protection laws in a new direction entirely?
UK GDPR Training
Is your GDPR training up to date? Now could be the perfect time to refresh your staff's training and learn what the UK GDPR aims to achieve and why it exists. In just 35 minutes our UK GDPR Essentials Training will provide an understanding of the 7 principles of the GDPR, users will know the individual rights guaranteed to all data subjects and know the difference between a Data Controller, Data Processor, and Data Subject. For those in Education, we have a UK GDPR course specifically aimed at this industry. For those in management or anyone who are enforcing, or managing data protection in their workplace, we have our GDPR UK Advanced (Management) Training.