The EU-UK Trade and Cooperation Agreement requires adapting to new trading arrangements, rules and regulations. This information for businesses trading cross-border between Ireland and Northern Ireland covers GDPR, data protection and data transfers.
The EU has formally recognised the UK’s high data protection standards. This will allow the continued seamless flow of personal data from the EU to the UK and is expected to last until 27 June 2025.
The decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts. This GOV.UK press release explains more about the Data Adequacy Agreement.
How do EU and UK rules for GDPR compare?
The General Data Protection Regulation (GDPR) is the EU wide regulation that contains the data protection rules. These common rules set out the obligations of businesses and organisations that acquire, hold, control or deal with personal data and the rights of persons to whom the information relates.
UK GDPR is the retained version of the EU GDPR which forms part of UK law. As of March 2023, the Data Protection and Digital Information (No.2) Bill is before Parliament which, if and when passed into law, will replace and update UK GDPR with new comprehensive UK legislation. The UK Information Commissioner's Office website has a comprehensive guide to the UK General Data Protection Regulation.
How do EU and UK rules for data protection compare?
Data Protection is about the privacy of information (data) relating to people. It covers any information collected, held or used by a business or organisation that relates to a living person in any way that is held in electronic form or in a physical filing system.
The rules were strengthened considerably by the EU-wide General Data Protection Regulation (GDPR) which took effect in 2018. EU GDPR applies to EU based organisations and organisations outside the EU which offer goods or services to, or which monitor behaviour of persons in the EU. The Irish Data Protection Commission provides guidance for persons and organisations on all aspects of data protection in Ireland and the EU.
UK GDPR is almost identical to EU GDPR, so that the rules on data protection are the same or almost the same in both the EU and UK. UK GDPR applies to UK based organisations and organisations outside the UK which offer goods or services to, or
which monitor behaviour of persons in the UK. The Information Commissioner’s Office provides guidance for persons and organisations on all aspects of data protection in the UK.
The Information Commissioner's Office has a helpful overview of Data Protection and the EU which provides guidance for UK businesses which deal with the EU.
How do EU and UK rules for data transfers compare?
The wider EU-UK Trade and Cooperation Agreement allowed the continued free flow of personal data from the EU/EEA to the UK until adequacy decisions came into effect. On 28 June 2021, the EU made adequacy decisions which recognise the UK’s data protection standards. This decision is due to apply until 27 June 2025 when it is to be reviewed further.
The UK Government has stated that transfers of data from the UK to the EEA( EU plus Iceland and Norway and Liechtenstein) are permitted. It says it will keep this under review. Up to date information is available from the UK Information Commissioner's Office.
Further information
- Information Commissioner's Office: Overview - Data Protection and the EU.
- GOV.UK: Guidance on Using personal data in your business or other organisation.
- The Data Protection Commission Ireland: Information about organisational obligations under data protection legislation and the General Data Protection Regulation.
Article reviewed: Nov 24