UK GDPR after Brexit

In late 2020, the UK and the EU finally agreed a Brexit trade deal - the EU-UK Trade and Cooperation Agreement ("Agreement"), which now governs the terms on which the EU and UK trade. As a result of the Agreement, the General Data Protection Regulation (“GDPR”) has been incorporated directly into UK domestic law as the UK GDPR.

Although the EU and UK both commit to uphold high standards of data protection in the Agreement, it does not itself deal with the key question of whether the European Commission determines the UK’s data protection regime is “adequate”. To avoid disruption to data flows, therefore, the Agreement provided for an interim period during the first half of 2021 in which data could continue to flow freely between the UK and EU. This interim period came to end on 28 June 2021 when the European Commission granted the UK adequacy.

  • For information about how the Agreement impacted data protection legislation in the UK between 1 January 2021 and 28 June 2021 when the European Commission published their adequacy decision, please see our guide (29 December 2020).
  • For more information on the EU's adequacy decision, please see our article here (1 July 2021) 

Organisations that process data in the EU and the UK may now be subject to both the EU GDPR and the UK GDPR. To ensure compliance with all applicable data protection laws, it is vital that organisations:

  • take stock of their data protection practices 
  • understand the impact of data protection law on their business
  • take any necessary action.

Our team have advised clients on how to deal with the uncertainties around Brexit, including arrangements for transferring data to and from the UK, the requirements for appointing a Data Protection Officer, and reviewing and updating standard engagement terms to take account of Brexit.

For more information on the GDPR and the UK GDPR and what steps your business might need to take, look at our overview here.