GDPR when the Brexit transition ends (in January 2021)

Photo of feet standing over the UK and EU flags

Share This Post

At the time of writing this article (22nd December 2020), we’re less than 2 weeks away from the end of the Brexit transition period and whilst it’s being suggested the bulk of any agreement between the UK and EU has been agreed, there are still sticking points which are holding everything up.

This means a number of potential outcomes, come the 1st January 2021 (when the Brexit transition period ends):

  1. The “sticking” points in the discussions derail the whole Brexit agreement with the EU meaning that we have a “no deal” Brexit
  2. The “sticking” points are separated from the agreed provisions of the agreement and we get a part-deal Brexit
  3. The “sticking” points are sorted and a Brexit deal is agreed

The truth of the matter is it is still not clear which one of these outcomes may arrive by the end of the year or indeed the rolling on of extensions, into 2021. We of course, probably all expected there to be clarity by now, particularly as the government has been pushing their “time is running out campaign” telling us to prepare, but with little guidance about what we’re supposed to be preparing for. And even if a no-deal Brexit is averted, it’s still not clear what that means for GDPR compliance.

Post-Brexit and the GDPR issues (for UK businesses)

At the moment, you have little choice than to wait and see or plan ahead, but these are the things you need to consider:

  • Even though we will not be part of the EU, the GDPR will still apply in the UK. We will have UK GDPR which will apply alongside the existing Data Protection Act 2018. So, generally speaking, for UK businesses there is no change: if GDPR applies to you now, it will continue to apply to you, post-Brexit transition
  • You will have to consider whether your EU customers will expect you to have standard contractual clauses (SCC) in place to deal with the fact that EU to UK data flows will be restricted, in the absence of an adequacy decision. The SCC will be required where you act as a Data Processor for EU Data Controllers (or Processors)
  • You may have to appoint (and publish details of) an EU representative if you sell products and services to EEA individuals, or, if you monitor the behaviour of individuals in the EEA – this is likely to be the case whether there’s a Brexit deal or not
  • If you operate within the EU but have customers in multiple EU members states, you are unlikely to be able to make use of the regulatory authority “one stop shop” and may have to answer to the ICO in the UK as well as multiple regulatory authorities across the EU – this is likely to be the case whether there’s a Brexit deal or not

GDPR in the UK, post-Brexit transition (for all non-UK (including EEA) businesses)

As well as the above considerations, Brexit introduces an additional consideration for all non-UK businesses: just like UK businesses will have to consider whether they need an EU representative, organisations outside the UK (including EEA countries) will need to appoint a UK representative if they sell products or services to UK individuals or if they monitor the behaviour of UK individuals (so essentially the same EU representative rules, just the other way round).

What’s the EU telling EU businesses?

In terms of guidance, it seems we are expected to plan according to a no-deal Brexit. That certainly seems to be the case for EU businesses who are being advised by the EDPB to prepare before the end of year for a no-deal scenario.

What does this mean in practice for UK organisations?

If you process EU data (whether as a Data Controller or Data Processor) you will need to consider the implications to your EU data processing. In reality this could mean any of the following, if there is no-deal that impacts the UK-EU GDPR relationship:

  1. You will either need to put the Standard Contract Clauses in place for your EU customers, or expect your EU customers to be asking you to sign the Clauses
  2. You may need to appoint an EU representative
  3. You will continue to be answerable to the ICO, but could also be answerable to any of the EU member states regulatory authorities; if you have an establishment within the EEA then you will need to identify if you have any cross-border processing and just who your lead regulatory authority is


More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy