GDPR and Brexit: Do UK law firms still need to comply?
On 1st January 2021, the Brexit transition period ended. For UK-registered businesses and law firms, this means that they are no longer bound to EU laws – including the EU GDPR.
However, that doesn’t mean that GDPR isn’t still relevant for today’s firms. In fact, over the course of last year, the EU GDPR was incorporated into UK data protection law as the UK GDPR. So in practice, there’s actually very little change to the core data protection principles, rights and obligations found in the new GDPR by which UK firms are now bound.
The main change for firms is where personal data is transferred into or out of the UK. Though there are many nuances to the UK data protection law, below we’ve highlighted some of the key points, as well as you keep your firm’s data flowing in 2021.
Does the EU GDPR still apply?
As mentioned above, the EU GDPR has been incorporated into the UK’s data protection law. So, while the regulation may not directly apply to your firm, the core principles do.
The EU GDPR also is still relevant for UK firms that operate in Europe or hold information on EU nationals. Furthermore, the EU GDPR still applies to any organisations in Europe who share data with your firm, so you may need to work with them on how best to transfer personal data to the UK, keeping in line with the UK GDPR.
What is the UK data protection law now that the transition period is over?
The UK data protection law is now made up of the Data Protection Act 2018 and the UK GDPR. If your firm never transfers or holds data on EU nationals, you only need to worry about adhering to the UK data protection rules.
The key differences between EU GDPR and the UK GDPR
The EU GDPR and its UK counterpart are nearly identical, with a few amendments to make it work in a UK-only context. The main difference lies in the provisions on transferring data in and out of the UK.
Currently, there are no restrictions on transferring UK personal data to the EU, as long as it’s done in line with UK GDPR.
If you need to transfer data between the UK and a non-EU country, you will need to implement some extra safeguards. Usually, the simplest way to do this is with standard contractual clauses. The good news is that the UK government has agreed adequacy with several nations, meaning that data transfer can occur without the need for standard contractual clauses.
Transferring data from the EU to the UK is where it gets a bit mucky. The UK government is currently seeking a European Commission ‘adequacy decision’ which will allow data to flow freely under those rules. If an ‘adequacy decision’ is not made as part of the new trade deal, data transfers from the EU to the UK must comply with the EU GDPR rules. For the time being, the EU has agreed to delay transfer restrictions for at least four months.
How to keep your firm’s data flowing in 2021 and beyond
Trying to navigate the new data sharing rules can be complicated. However, employing the right technology can help ease the transition, ensure compliance and safeguard your data.
There are a number of ways to use legal workflow automation to effectively enforce data protection policies and ensure compliance with evolving regulations. For example, using Sysero, firms can embed data protection best practices into standardised workflow templates. Data protection expertise can be modeled into workflows and processes – and evolve as needed – to streamline compliance across the entire firm.
Other features such as risk-based automation acceptance and pseudonymization of data can also go a long way in protecting your firm’s data and mitigating risk in case of a data breach. If the case does arise where your firm’s data privacy practices are in question, legal workflow automation can help prove compliance through audit trails and archiving.