The Government has released guidance on the amendments to UK data protection law in the event that the UK leaves the EU without a deal.
The EU (Withdrawal) Act 2018 retains the GDPR in UK law and the principles, obligations and rights that organisations and data subjects, processors and controllers have now will stay the same.
To ensure the UK data protection framework continues to be effective when (if!) the UK is no longer an EU Member State, the Government said it will make “appropriate changes” to the GDPR and the Data Protection Act 2018 and will publish details in the next few weeks.
In general, the vast majority of the changes will involve removing references to EU bodies and procedures that will not be directly relevant when (if!) the UK is outside the EU but will be replaced with terms that make sense in a UK context. For example references to “Union or Member State law” will instead be read as “domestic law”; while references to some decisions made by the EU Commission will be replaced with references to decisions made by the UK Government.
The department for Digital, Culture, Media & Sport says these changes would:
• preserve EU GDPR standards in domestic law;
• transitionally recognise all EEA countries (including EU Member States) and Gibraltar as “adequate” to allow data flows from the UK to Europe to continue;
• preserve the effect of existing EU adequacy decisions on a transitional basis;
• recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses;
• recognise Binding Corporate Rules (BCRs) authorised before Exit day;
• maintain the extraterritorial scope of the UK data protection framework; and
• oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale.
Detailed guidance, such that exists, can be obtained on the UK Government website
