Bridging the protection gap

UK data protection law was previously governed by the GDPR and had been since it was introduced in 2018.

This ceased to have direct effect from January 1 but as the UK is committed to maintaining an equivalent data protection standard, the UK-GDPR will apply going forward. The Data Protection Act 2018 (DPA 2018) also remains in place with some technical amendments.

The UK-GDPR is essentially a duplicate of the GDPR, containing all of the same obligations and duties, but tailored specifically for the UK.

Processing previously covered by the GDPR now falls under the UK-GDPR.

For businesses operating solely in the UK, in practice there is little change to the core data protection principles, rights and obligations, but there are implications for the rules on transfers of personal data between the UK and the European Economic Area (EEA).

The UK government is seeking adequacy from the European Commission – a recognition that UK laws provide a level of data protection that matches the GDPR, and granting the country a special status of adequacy.

The EU has agreed to delay data transfer restrictions for at least four months

A number of countries have already been granted adequacy, meaning that transfers of data can take place between the third country (a state that falls out of the GDPR zone) and the EEA as if the country were a member state, effectively.

As part of the trade deal, the EU has agreed to delay data transfer restrictions for at least four months, potentially extending to six - known as the bridge.

This means that the UK isn’t considered as a third country as yet, and the personal information of EU citizens will continue to be sent freely to the UK, until an agreement on adequacy is reached.

If you receive personal data from the EEA, its recommended you put alternative safeguards in place before the end of April, if you haven’t done so already.

While it is hoped that adequacy will be approved, it is not a done deal and businesses should be mindful that the GDPR will still apply to you if you offer goods or services to persons in the EEA in terms of how data is processed.

It will also apply to organisations in Europe who send data to you, as they will need to comply with UK legislation, if the trade deal bridge ends without adequacy

  • To read this feature in full and access further Lancashire business news, advice and analysis subscribe to Lancashire Business View magazine or join the LBV Hub from just £2.50 per month. Click here to subscribe now.