As the UK has written the EU GDPR into UK law (UK-GDPR) to be read alongside the DPA18, much of the former Regulation on data protection still applies as written to those processing personal data within the UK. The main area causing some confusion is GDPR Chapter V (Art. 44-50) on transfers of personal data to third countries or international organisations.
As the UK is no longer part of the EU and has yet to be afforded an Adequacy Decision by the European Commission, additional safeguards (such as standard contract clauses) would normally be required to receive or process personal data from the EU. However, the UK-EU Trade Deal which was finally agreed on Christmas Eve and came into force at 11.00pm on 31st December 2020 has some important clauses for the interim transfer of personal data between the EU and UK.
What the UK-EU Trade Deal says about Data Protection
Whilst the agreed trade deal does not lend itself to data protection or adequacy decisions directly, article FINPROV.10A does note that “for the duration of the specified period*, transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law”.
*The specified period began on 1st January 2021 and ends either on the date on which adequacy decisions in relation to the UK are adopted by the EC, or four months after the specified period begins (which can be extended by two further months unless one of the parties objects).
The trade deal advises that during the specified period, the UK must not exercise any designated powers without the agreement of the Union, and as such the UK-GDPR and DPA18 will remain in the same for as of 31st Dec 2020 for this duration (meaning the UK-GDPR is mostly still aligned with the EU GDPR).
Data Transfers from the UK
There are no restrictions or alterations on sending personal data from the UK to the 27 EU states, 3 EEA states or the additional 12 countries who were already afforded an adequacy decision by the EU whilst the UK was still a member. This is because the UK has carried over the 42 adequacy decisions, so that personal data from the UK can continue to flow seemlessly.