Following UK’s withdrawal from the European Union the GDPR and the UK varied/applied GDPR will merge to form the UK GDPR at the end of 2020.
The DPA 2018 introduced the applied/varied GDPR, extending GDPR standards to certain processing activities outside the scope of EU.
The GDPR will be referred to in the UK as the EU GDPR.
The DP Brexit Regulations make amendments to the DPA 2018 and other legislation relating to:
- The territorial scope of the UK GDPR
- International transfers of personal data
- The Information Commissioner
- Consequential amendments to references to institutions, member states and decisions
- Other legislation
The UK GDPR will operate under the European Union (Withdrawal) Act 2018 (EUWA) and will sit alongside the DPA 2018.
Data Controllers will, therefore, need to familiarise themselves with the terms UK GDPR and EU GDPR and look at what changes need to be made in readiness for the end of the transition period, for example changes to privacy/data protection policies and other data protection documentation.
The UK government intends that after the end of the transition period, the UK GDPR will apply to controllers or processors located outside the UK, but who process personal data about individuals in the UK in connection with offering goods or services or monitoring behaviour. The UK Government intends to require controllers in this category to appoint a UK representative, so it is possible that some organisations and businesses will need representatives in both the EU and the UK. This will take effect at the end of 2020.