Upgrade to Chrome Upgrade to Firefox Upgrade to Internet Explorer Upgrade to Safari
Legal News | 4.12.20

GDPR AND BREXIT GUIDE

As you may know, we are currently in a transition period until 31 December 2020, while additional arrangements are negotiated between the UK and the EU. The General Data Protection Regulation (GDPR) is enshrined in UK law as the Data Protection Act 2018, which will continue in force after the transition period ends. Therefore, the current rules of data protection will continue to apply during this period, but the UK will have the independence to keep this under review.

International Data Transfers

Now the UK is no longer an EU member state, we have been reclassified as a ‘third country’. Under the GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:

  • Adequacy Decision– if the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection. The UK and EU are currently attempting to complete this process within the transition period;
  • BCRs or SCCs– if appropriate safeguards are in place, such as BCRs (Binding Corporate Rules) or SCCs (Standard Contractual Clauses). The ICO will no longer be a supervisory body under the GDPR at the end of the transition period, which means that BCRs will need to be approved by a supervisory authority within Article 27 of the GDPR.
  • Codes of Conduct– if there is an approved code of conduct. No such code has been agreed for transfers from the EEA to the UK yet.

Potential penalties for non-compliance

Breaches of the GDPR requirements for transferring personal data to third countries or international organisation are subject to the higher level of administrative fines. This could be up to 20 million euros or 4% of annual global turnover, whichever is higher.

How can you prepare?

The steps your business will need to take to prepare for the end of the transition period will depend on:

  1. Whether you have contacts or customers in Europe;
  2. Whether you send or receive data to or from Europe;
  3. Whether you have a European presence or European customers; and
  4. Whether you send or receive data to or from countries outside Europe.

1. UK Businesses and Organisations who have no contacts or customers in Europe

If you are a UK business or organisation that already complies with the GDPR, and you do not have contacts in the EEA who send you data, and no customers in the EEA, then there is not a great deal of data protection preparation required for the end of the transition period.

You should:

  • Comply with the GDPR now; and
  • Review your privacy policies and documentation to identify any minor updates that must be made (see section: Minor Updates).

2. UK Businesses and Organisations who send or receive data to or from Europe

If you are a UK business or organisation that receives data from contacts in the EEA, you will need to take additional steps to ensure that the data can continue to flow as required at the end of the transition period.

You should:

  • Comply with the GDPR now;
  • If you send data from the UK to the EEA, note that you will still be able to do so and no additional steps will be required;
  • If data is sent to you by a business or organisation in the EEA, note that it will still need to comply with EU data protection laws. You will need to take action with them to ensure that the data can continue to flow as before;
  • Consider using SCCs (Standard Contractual Clauses), as for most businesses or organisations, these are the most effective way to keep data flowing to the UK;
  • Make sure you review your privacy policies and documentation to identify any minor updates that must be made (see section: Minor Updates); and
  • Keep up to date with the latest information and guidance.

3. UK Businesses and Organisations with a European Presence or European Customers

If your business or organisation operates in the EEA, you will be required to comply with both UK and EU data protection regulations at the end of the transition period. You may also need to appoint a representative in the EEA.

You should:

  • Comply with the GDPR now;
  • Note that you will need to comply with the UK data protection regime for your UK activities;
  • If you have offices in the EEA, note that your European activities will be covered by EU law, even at the end of the transition period. You should find out which European data protection regulator will be your ‘lead supervisory authority’;
  • If you are based only in the UK, but you offer goods or services in the EEA, note that you will still need to comply with the EU data protection regime in relation to these activities;
  • Appoint a suitable representative in the EEA (see section: European Representatives). This person will act as the local representative of your business when dealing with individuals and data protection authorities in the EEA. You should find a provider in the EEA who offers services as a GDPR representative. Note that if you have a data protection officer (DPO), they cannot also act as your EEA representative;
  • Make sure you review your privacy policies and documentation to identify any minor updates that must be made (see section: Minor Updates); and
  • Keep up to date with the latest information and guidance.

4. UK Businesses or Organisations who send or receive data to or from countries outside Europe

If your business or organisation sends or receives data to or from countries outside EEA, the rules will remain similar at the end of the transition period. At this stage, you don’t need to take any additional steps.

You should though:

  • Comply with the GDPR now;
  • Make sure you review your privacy policy and documentation to identify any minor updates that must be made (see section: Minor Updates); and
  • Keep up to date with the latest information and guidance.

European Representatives

If you do not have any offices based in the EEA, you should consider whether you are processing data in the EEA that relates to offering goods or services to individuals in the EEA. If you are carrying out this kind of processing, and will continue to do so after the end of the transition period, you will need to determine whether you need to appoint a European representative. This may not be necessary if your processing is minimal and of low risk to the data protection rights of individuals.
You should consider in which EU or EEA state your representative will be based and put in place the relevant written mandate for that representative to act on behalf of your business. Information about the representative should be included in certain documentation given to your data subjects and made available to supervisory authorities. You should also note that appointing a representative does not affect your own liability under the GDPR.

Minor Updates

These updates apply to all UK businesses and organisations whose processing of personal data is currently governed by the GDPR.

You may need to review and update your:

  • Privacy Notices;
  • Rights of Data Subjects;
  • Documentation;
  • Data Protection Impact Assessments (DPIAs);
  • Data Protection Officers; and
  • Codes of Conduct and Certification.