ICO Issues Warning in Relation to Brexit Transition Period & GDPR

In the United Kingdom the data protection authority, the Information Commissioner’s Office (ICO), has issued a warning to businesses that they must adhere to existing data protection legislation as the country moves away from the European Union.

The transition period should come to a close, as planned, at the end of December 2020 and it is envisaged that the European Union’s General Data Protection Regulation (GDPR) will be transitioned into UK law as ‘UK GDPR’.

The ICO has stated that: “The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.”

It is important to remember that, whatever legislation is passed in the UK to deal with data privacy, if a UK-based business or organisation is dealing with or managing the private date of UK based clients then they will still be subject the to EU GDPR in the same way that any business based outside of the EU would be. Due to this it is vital to ensure that UK-based entities remain compliant with the EU GDPR at all times. At this early stages it does does clear that the obligations and requirements will be practically identical in both sets of legislation.

ICO said: “It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future. We will continue to monitor the situation and update our external guidance accordingly. ”

However, ICO has said that it will not be a requirement to appoint an European Economic Area (EEA) representative during the transition period, thought this may well be a requirement in the immediate aftermath of the transition period coming to an end.

The ICO statement said: “During the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.”

One position that will definitely changing when the transition period comes to a close is that ICO will no longer be policing compliance with European Union data privacy legislation. Instead it will only be dedicated to ensuring the UK data privacy legislation is being complied with. The FAQ section of ICO has been update to state: “ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.”

It will continue to be as important as ever for UK-based companies to ensure that that are compliant with GDPR if they are managing the private data of those in the EU and they must also ensure that they are complying with the new UK data privacy legislation.