View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data
January 30, 2020

ICO Warns that During Brexit Transition Period its ‘Business as Usual’

"If you operate inside the UK, you will need to comply with UK data protection law."

By CBR Staff Writer

This week the Information Commissioner’s Office (ICO), the UK’s data protection authority, is warning businesses that during the Brexit transition period its ‘business as usual’.

While negotiations about the nature of the future relationship between the UK and the EU are being hammered out, the ICO is warning that at the end of the transition period: “The default position is the same as for a no-deal Brexit: the GDPR will be brought into UK law as the ‘UK GDPR’.

There is still uncertainty around the structure of data regulation in the UK following the end of the transition period which occurs in December of 2020. However the ICO is clearly warning business that as far as it’s concerned anyone who is processing personal data should follow their current data protection obligations as they are laid out in the GDPR.

The ICO has stated that: “The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.”

Brexit Transition Period

The ICO will remain an independent supervisory body with regards to UK data protection legislation. It notes that if a company is transferring personal data from the UK to an EU entity then they can proceed as normal, as the UK government has stated that they will put no restriction on data flow. However, if the company is receiving data from a firm based in the EU they will need to take extra steps to ensure they are compliant.

One step the ICO notes companies no longer need to take is the appointment of a European Economic Area (EEA) representative during the transition period. Stating that: “During the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.”

The ICO has previously advised that one of the best approaches when dealing with EU bodies from the UK is to establish standard contractual clauses (SCCs). The SCCs should outline the data protection responsibilities of a company with regards to GDPR legislation in the EU. The SCC would essentially establish contractual terms and conditions that ensure both companies process data in a legal manner.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

See Also: Avast CEO Shuts Down “Jumpshot” Programme, Apologises to Users

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.