As of 11:00pm tonight the Withdrawal Agreement between the UK and the EU becomes effective.  Many companies have planned for a No-Deal-Brexit, securing data privacy representatives in the UK and the EU separately, and standing by with contract revisions at the ready.  The Withdrawal Agreement provides for a transition period until the end of 2020, during which the GDPR continues to apply to the transfer of personal information between the UK and the EU.

One issue with a No-Deal-Brexit was that since the UK had not yet obtained a ruling from the EU Commission that its data privacy and protection laws provides an adequate level of data protection transfers of personal data between the EU and the UK could only be made subject to additional protections, for example, the Standard Contractual Clauses.  The hope is that during the transition period the UK will amend its current Data Privacy law the Data Protection Act 2018 to ensure to obtain this adequacy decision.  The Data Protection Act of 2018, with amendments, if any will continue to apply in the UK and for the collection and processing taking place wholly with the UK.

The current guidance recommends that at the end of the transition period companies collecting and processing personal information to individuals in both the UK and EU will need to appoint representation in both the UK and the EU and will need to register with a supervisory authority in the EU or the UK depending on the original registration.  Following the end of the transition period the GDPR will continue to apply to personal information collected and processed from data subjects in the EU. 

Other laws covering aspects of data privacy and protection including the PECR (marketing, cookies, and electronic communications), the NIS rues (network and information systems) and their EU counterparts will continue to apply during the transition period.