Some US companies who do business in the UK are wondering whether they need to update their GDPR notices or take other steps now that the UK has officially left the European Union. The answer is: Not yet. The threat of a “Hard Brexit” with immediate changes to UK laws has passed. We have eleven months to go before the next key deadline. The steps that US and other companies will need to take will depend on the discussions between the UK and the EU during that time.
As of January 31, when the UK officially left the EU under the Withdrawal Agreement, the UK is in a transition period that will end on December 31, 2020. The transition period is effectively a regulatory standstill period during which the UK will abide by current EU laws and be treated as a member of the EU’s single market. During the transition period, the EU and UK will attempt to negotiate new deals governing trade, immigration, law enforcement, security, and other matters. The December 31, 2020 end date could be extended, but the UK Government has so far sent strong signals that it does not want an extension.
The UK will continue to comply with the GDPR during the transition period, and, in substance, afterward as well, by virtue of the UK Data Protection Act 2018. The UK Information Commissioner’s Office has updated its guidance on Brexit to reflect the actual exit under the Withdrawal Agreement. The ICO’s updated Brexit FAQ is a quick read that covers the main concerns that companies will have.