Last week, a news article popped up. “UK to overhaul privacy rules”. Naturally, it piqued some interest. The UK debated revoking the GDPR before they finished implementing it. By the time the GDPR came into effect in 2018, several years had passed since the UK announced its intention to leave the EU.

However, we have now officially left the EU and completed the transition period. We are no longer obligated to comply with EU regulations. This doesn’t mean the GDPR has disappeared,  but it does change some of the rules of the game.


We’ve Left The EU. Why Do We Still Have The GDPR?

As of January 2021, the Brexit transition period has ended. EU laws no longer apply to the UK. Therefore, the EU GDPR technically no longer applies to the UK.

The key word here is “technically”. According to the ICO, “The GDPR is retained in domestic law as the UK GDPR”. The UK GDPR writes the same privacy rules into UK law, with just a few minor changes. These laws remain regardless of our status within the EU.

The key difference now we have left the EU, is that we are no longer obligated to have a privacy framework identical to the GDPR, and the UK government now keeps the framework under review themselves. They also now have the power to scrap the whole thing.

What Will Change: International Data Transfers

While it is now technically possible, it’s unlikely the GDPR is going away any time soon. However, there may be changes that alter how schools and colleges handle their data.

Firstly, updates to current international adequacy agreements would affect bringing on new suppliers.

As part of choosing a data processor, schools and colleges must assess whether personal data leaves the UK.  If a company holds data in a country where data protection laws are not as stringent as ours, this puts undue risk on that data. These data processors should implement additional protections for personal data such as Standard Contractual Clauses.

Adequacy agreements negate the need for these additional protections. The UK has agreed with multiple countries that any data moving from the UK to those countries will be treated with the same security as if it were still in the UK. Upon leaving the EU, the UK government has announced plans to strike new adequacy agreements with additional countries. As the UK begins discussions with various nations, and adequacy agreements shift and change, the suitability of different data processors will also vary. Schools and colleges will need to keep an eye on policy changes regarding international data transfers, to make sure they have all the appropriate safeguards in place. should the UK remove a country from the list of “adequate” countries, schools and colleges should either terminate any contracts with data processors there, or ensure there are additional measures to protect any transferred data.

What Will Change: The Bigger Picture

Secondly, the UK government have stated that they intend to “improve the UK’s data protection regime to make it even more ambitious and innovation friendly.” To break this down into layman’s terms, the UK government want to ease the path to data sharing where they believe it could fuel growth for the country. It’s not entirely clear what this will mean in terms of specific changes to the current privacy rules. However, the UK are unlikely to entirely revoke the GDPR.

The UK already has adequacy agreements with over 30 countries, via the EU’s GDPR framework. If the UK were to massively reduce the data protection regulations, they would no longer be in line with the GDPR, and we would lose our adequacy agreements with these EU countries. Seeing as the UK government are keen to increase the number of adequacy agreements and data partnerships, it feels unlikely they’ll sacrifice agreements with the entire European Union, in order to relax data protection regulations.

Is the GDPR Here to Stay?

It certainly looks that way. The rumoured “overhaul” is currently more of a renovation. The GDPR will still be providing a framework for data protection and providing individuals with important data related rights.

So, as we start a new year of education and innovation, lets keep data protection at the core of it all. Responsible use of data builds trust between your organisation and your staff, students, clients and customers. It’s worth keeping that confidence. Without trust, it’s far harder to flourish.