From 1 January 2021, the GDPR was retained in UK law (as the UK GDPR) and continues to be read alongside the DPA. On the same date, the UK became a ‘third country’ (a non-EU country) for the purpose of personal data transfers outside the EU.
In the long term, this will require an ‘adequacy decision’ by the European Commission on the suitability of the UK’s data protection framework under the DPA 2018. It may also result in a legally-binding data protection agreement between the EU and UK.
In the short term, businesses can continue to transfer personal data between the EU and UK without the need to take additional measures (eg entering into the standard contractual clauses). The Trade and Cooperation Agreement between the EU and UK states that until 30 June 2021, the transfers of personal data from the EU to the UK will not be considered a transfer to a third country. This is subject to certain safeguards (ie the UK not amending its data protection laws without the EU’s agreement).
UK data controllers and processors may also need to appoint EU-based representatives from 1 January 2021. This will be required where a business:
has no offices, branches or other establishments in the EEA, and
offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA
Where this applies to your business, you must authorise the representative, in writing, to:
The representative can be an individual, company or organisation established in the EEA, and must be able to represent you regarding your obligations under the GDPR.