Data Protection Act (DPA) exchanges Post-Brexit
At 11.00 p.m. on 31 December 2020, the transition period will expire and the UK will no longer be subject to the EU General Data Protection Regulation (EU GDPR) as far as internal data processing is concerned.
Organisations which neither send data to nor receive data from the EEA are nevertheless advised by the Information Commissioner’s Office to continue to operate to the same standard as EU GDPR. This is because the UK is committed to maintaining the high standards of the EU GDPR and the government has legislated to incorporate the same terms into UK law when the transition period ends, via the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This will be known as “UK GDPR”.
Entities sending to or receiving data from the EEA will remain subject to EU GDPR and must ensure that they remain compliant. Rules for sharing data with countries outside the EEA will remain similar.
In practical terms, therefore, little will change except that domestic data processing will be subject only to the Data Protection Act 2018 and UK GDPR, as interpreted by the UK courts alone.
In the insurer and law firm intelligence data sharing world, the old “Section 29” requests (DPA 1998), now known as “Schedule 2 requests” (DPA 2018) could theoretically differ from EU GDPR. However, based on the intention of the government that UK GDPR should mirror EU GDPR makes it extremely unlikely that we will see any material difference.
Nevertheless, insurers may want to update their precedent DPA exchange letters though, to reflect the change in legislation.