Brexit and GDPR: A Guide for E-commerce

You’re likely aware of the significant impact that the General Data Protection Regulation (GDPR) has had on businesses worldwide. However, the United Kingdom’s exit from the European Union, commonly known as Brexit, has raised questions about the future of GDPR in the UK. This article will delve into the implications of Brexit on GDPR and what it means for your e-commerce business.

The Impact of Brexit on GDPR

Brexit officially took place on January 31, 2020, after months of negotiations and mixed reactions. During the transition period that lasted until December 31, 2020, EU GDPR continued to apply in the UK. However, with the UK exiting the EU and falling outside of the GDPR zone, it became a “third country” with restrictions on data flow between the two sides.

To ensure the free flow of data, the EU and UK signed a deal that allowed uninterrupted data flow for six months starting from January 1, 2021. Following that, on June 28, 2021, the EU adopted an adequacy decision for the UK to allow uninterrupted data flow from the EU without further supervisory authorization or legal measures for four years (until June 2025).

The UK GDPR 2021

To fulfill the Withdrawal Agreement for providing the EU equivalent level of data protection, the UK government amended the EU GDPR and created a new domestic law called UK GDPR to replace the former.

Businesses based in or outside the UK that have been previously following the EU GDPR for processing the UK users’ personal data now have to comply with the UK GDPR requirements. Also, those that are offering goods and services to EU users should continue to follow the EU GDPR.

The Amended Data Protection Act (DPA) 2018

The DPA 2018 was once again amended on January 1, 2021, after the UK’s transition period after Brexit. The DPPEC merged the EU GDPR rules to create a new data protection regime known as the UK GDPR.

What Happens to GDPR After Brexit?

The EU GDPR is the most robust and stringent data protection law that affects a lot of businesses worldwide. Even after Brexit, there are a few notable changes that you may want to be aware of:

• Businesses operating in the UK, offering goods and services to UK individuals are no longer required to follow the EU GDPR. They have to align all their policies and privacy practices with the UK GDPR.
• UK businesses operating in the EU, offering goods and services to EU individuals must continue to follow the EU GDPR along with the UK GDPR.
• ICO is no longer the UK regulator for any EU GDPR-related concerns. It is the independent supervisory body for UK data privacy laws.
• Data transfer from the UK to the EU will be subject to the UK International Data Transfer laws and EU SCCs.

UK International Data Transfer Post Brexit

On February 2, 2022, the Secretary of State issued the International Data Transfer Agreement (IDTA), the Addendum to EU SCCs, and transitional provisions under Section 119A of the Data Protection Act 2018. The IDTA allows for international transfers of data from the UK to countries with equivalent data privacy laws.

GDPR and Brexit: The Future

On May 10, 2022, the UK government announced that it will be introducing a Data Reform Bill. The Bill will create a new, more agile regulatory regime that minimizes the bureaucratic time and cost burden placed on SMEs while giving them the tools they need to thrive. It will also make UK citizens’ data rights stronger than ever before, helping to give them greater control over how companies use their personal data.