As you probably know, the Withdrawal Agreement concluded between the European Union (“EU”) and the United Kingdom (“UK”) establishes the terms of the UK’s orderly withdrawal from the EU, in accordance with Article 50 of the Treaty of the EU. The Withdrawal Agreement entered into force on February 2020, after having been agreed on 17 October 2019. It consists amongst others of a Protocol on Ireland and Northern Ireland.
Since that date, the UK has been a third country to the EU. The Withdrawal Agreement remains in force, as the Trade and Cooperation Agreement is not intended to replace it.
This withdrawal had some impacts on the GDPR in the UK. Indeed, as the UK was not part of the EU anymore, it brought the question of the GDPR: is it still applicable or not?
For data protection purposes, the transfer of personal data between a country of the EEA and the UK will not be considered as a transfer to a third country within the meaning of the #GDPR for 4 months (starting 1 May 2021), extended by 2 months (until 1 July 2021). During this period, the UK will continue applying EU data protection rules to the current “stock of personal data”, until the EU, through an adequacy decision, establishes that the UK’s data protection rules provide safeguards which are essentially equivalent to those in the EU. This post-Brexit agreement will come to an end if an adequacy decision is made by the Commission concerning the UK. If no adequacy decision is adopted on 1 July 2021, the transfer of personal data between the UK and the EEA will be considered as a transborder data flow.
Nevertheless, the UK decided to have their own GDPR: called the “UK-GDPR”. This instrument is using powers under the EU (Withdrawal) Act 2018 to amend the Data Protection, Privacy and Electronic Communications, in order to ensure that the legal framework for data protection within the UK continues to function correctly after the exit day. The Data Protection, Privacy and Electronic Communications Regulations rename the retained EU GDPR the ‘UK GDPR’. They amend the UK GDPR to make it work properly as domestic law. There will be no material difference in most cases.
But the situation continues to evolve, and all the final decisions have not been yet taken.
It may be useful to recall that raising GDPR awareness is one of the most important mission of the DPO and this regardless of the decision that the UK will take. According to several studies, the most frequently used tools to train the staff on the GDPR are meetings with business departments (27%), distribution of information on the intranet (18%), emailings and newsletters (17%). What is more surprising is that e-learning remains a lever that is still not used a lot by organizations, even though it is proven to be the best means of communication in the corporate sector, especially when training programs are conducted for people across the globe. It enables individuals to acquire important skills wherever they are located.
The GDPR e-learning is the perfect tool to raise GDPR awareness in the team or to deepen your knowledge. You will find 10 complete GDPR trainings ranging from 20min to 1h30. Each training addresses a different aspect of the GDPR. Contact us to know more!
On May 2021, EU lawmakers have endorsed one resolution, sending a strong political message to the European Commission on data transfers with the United Kingdom respectively. A resolution which concerns the UK data adequacy decision. The European Commission should amend its draft decision on UK data protection to ensure EU standards for citizens’ privacy and data protection are respected.
Members of the European Parliament (MEPs) asked the Commission to modify its draft decisions on whether or not UK data protection is adequate, and if data can safely be transferred following the concern raised by the European Data Protection Board (EDPB). The EDPB also ask for the UK to clarify its position on laws that allow government agencies to collect bulk data and its position regarding international agreements and data transfers.