Two regulations readying UK data protection law for a post-Brexit world have been promulgated in recent weeks. These regulations will only come into force upon the UK’s withdrawal from the EU. The regulations are intended to preserve the status quo post-Brexit by amending certain provisions of the GDPR to allow it to become UK domestic law and by gradually adopting certain key decisions of EU institutions that would, collectively, allow continued lawful personal data flows into the UK.
While much of the adaptation of the GDPR to UK law is semantic, some of it has the effect of imposing new requirements on entities that process personal data in the UK. Most notably, Article 27 of the GDPR, which required appointing a representative in the UK post-Brexit. The second set of regulations supplement the first set of regulations with respect to the EU-US Privacy Shield, and will require, in essence, that Privacy Shield-certified companies in the U.S. include in their privacy policies a commitment to comply with the Privacy Shield principles with respect to personal data that originated in the UK.