It is hard to generalise and advice should be taken based on specific circumstances but some points to note are as follows:
- The UK has passed data protection legislation (the Data Protection Act 2018) which reflects the provisions of the GDPR, including its data transfer provisions, and has retained its ePrivacy legislation. Likewise, the ICO remains empowered to impose GDPR level fines. So it is important that, where a contract’s scope could cover the UK and where personal data will be processed, that the contract continue to include suitable data protection provisions.
- Factors affecting suitability will include whether you are a processor or a controller. Also whether you export or import personal data pursuant to the contract and where to.
- The CJEU’s recent decision in the Schrems II case has (to say the least) complicated the question of how organisations can comply with data transfer laws. Parties to a contract will need to review the requirements which UK and EU regulators expect to be addressed in light of the case depending upon where personal data is transferred pursuant to the contract.
For further information on steps to take to ensure continued data protection compliance, please see our recently published article on the topic: Ready, Steady, Brexit: Your Data Protection checklist for 1 January 2021 (twobirds.com)