The Department for Digital, Culture, Media & Sport (“DCMS”) has published guidance on how the UK’s data protection laws will interact with the EU if there is no Brexit deal. The guidance contemplates that, upon Brexit, GDPR will be incorporated into UK law through the EU Withdrawal Act and the current UK Data Protection Act 2018 will remain in place.
However, after Brexit, data transferred from the remaining EU27 to the UK would be restricted under GDPR. To allow data to flow freely, the UK government is keen to obtain an adequacy decision from the EU, which would recognise that the UK’s data protection law provides the same level of protection as that of GDPR. However, the European Commission has indicated that such a decision can only be made after the UK leaves the EU and becomes a third country. If no adequacy decision or other forms of agreement are reached prior to Brexit, the DCMS expects that most organisations will need to rely on the model clauses adopted by the EU Commission when transferring data from the EU to the UK, in order to ensure compliance with GDPR.