Now that the UK has left the EU and the transition period is over, some UK businesses are understandably confused by how the GDPR applies to them and what changes have been made. Having a robust and compliant data protection framework in place is not only mandatory for those processing personal data, but it is also a reputational requirement for demonstrating the compliant and ethical handling of personal data.
UK GDPR Compliance
The DPA18 has been amended to sit alongside the UK GDPR, ensuring it is adequate for the UK’s data protection framework and the government have published ‘Keeling Schedules’ for both the UK GDPR and DPA18 which show the amendments.
Know Your Compliance Limited have developed an extensive portfolio of UK GDPR compliant policies, procedures, templates and checklists to make upgarding your existing data protection program simple.Compare GDPR Toolkits See All GDPR Templates
Essential ICO Guidance
As always, the ICO have published extensive guidance and information for UK based businesses on what the ‘UK GDPR’ is and how to comply. This guidance also applies to organisations based outside the UK where their processing activities relate to the offering of goods/services to individuals in the UK; or if they are monitoring the behaviour of individuals which takes place in the UK.
The good news for UK businesses is that under the Withdrawal Agreement, the GDPR has been retained in domestic law (UK GDPR) now that the transition period has ended.ICO Guidance on UK GDPR
The biggest change is how personal data flows in and out of the UK. Currently (owing to the UK-EU Trade Deal), the UK data protection regime is aligned with ‘frozen GDPR’ (as it stood on 31 December 2020) and so UK businesses who transfer personal data outside the UK can continue to read the ICO guidance based on the UK GDPR.
This will only change once the UK received an Adequacy Decision from the EU (or 6 months from the trade deal date, whichever is sooner).ICO Guidance on Data Transfers