What the EU-UK Trade and Cooperation Agreement means for data protection and privacy

in Industry Insights, 25.01.2021

The newly implemented EU-UK Trade and Cooperation Agreement (“Trade Agreement”) brings change to many facets of life. As we adjust to these new developments, we would like to bring one particular area to your attention: the impact the Trade Agreement has on data protection and privacy. From the current interim period, to changes that went into immediate effect, we break down everything you need to know.

Three things to know about the interim period for the transmission of personal data from the EU to the UK:

  1. The interim period is dependent on the UK data protection law remaining as it was on 31 December 2020 and the UK not exercising any “designated power” without EU agreement. Designated powers include introducing new standard/model clauses, new codes of conduct and certification mechanisms, or new binding corporate rules.
  2. It will last for a maximum period of four months with the possibility of an extension of two additional months.
  3. It also applies to the transmission of personal data to the UK from Iceland, Liechtenstein and Norway.

The Agreement makes it clear that this interim period will only work as long as both parties do their part to ensure the protection of individuals’ personal data. The Law Enforcement & Judicial Co-operation section of the Trade Agreement will be suspended at the first wind of any inadequacies.

Three key changes to data protection and privacy that went into force 1 January 2021:

  1. European representatives: UK organizations targeting EU individuals must appoint a representative located in one of the EU members states. This change also applies for global organizations that currently have their European representative located in the UK: they must appoint one residing in an EU member state.
  2. Regulators: Organizations operating in both the EU and the UK now have at least two regulators (the UK ICO and the corresponding EU authority) to report to.
  3. Accountability: Organizations need to be prepared to take appropriate action if the UK does not receive an adequacy decision at the end of the interim period, e. implementing standard contractual clauses (SCCs) and binding corporate rules (BCRs) and international data transfer impact assessments.

KPMG Data Protection Expertise

Our teams of professionals, in Luxembourg and abroad, understand the dynamics of a successful data protection and privacy program. Reach out and let us help you and your organization navigate the challenges of the current and future data protection landscape.