Brexit – Data Protection from 1 January 2021
Friday, December 18, 2020
Friday, December 18, 2020
The UK left the EU on 31 January 2020. As a result, the transition period will end on 31 December 2020.
Businesses in the UK that process personal data are currently required to adhere to the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act (DPA) 2018.
The UK GDPR
The government has already issued various regulations dealing with data protection and Brexit.
In short, and among other things, these regulations will merge the EU GDPR with aspects of the UK DPA 2018 to form a new “UK GDPR” regime.
In reality, there are few major differences between the EU GDPR and the proposed UK GDPR. Therefore, as a helpful starting point, businesses should continue to comply with the EU GDPR.
The way in which EEA Data Transfers are managed from 1 January 2021 will largely depend upon whether or not the European Commission issues an “adequacy decision” in respect of the UK. An adequacy decision essentially confirms that the country in question does have sufficient legislation in place to meet EU data protection standards, without needing to implement further safeguards.
So, if the European Commission grants an adequacy decision, then personal data from the EEA can flow to the UK freely and uninterrupted.
However, given that the UK and EU have yet to reach a deal on Brexit, an adequacy decision remains unguaranteed.
What happens if there is NO adequacy decision before 1 January 2021?
If there is no adequacy decision in place for the UK, then the UK will be classed as a “third country” for the purposes of EU GDPR. This means that, from 1 January 2021, additional safeguards will be required in order to ensure that personal data can continue to flow freely to/from the EEA and the UK.
Sending Personal Data to the EEA
According to the UK government, businesses will still be able to send personal data from the UK to the EEA without taking any additional action.
Receiving Personal Data from the EEA
If an EEA business is sending personal data to a UK business, then that EEA business will still need to comply with EU GDPR.
While it is the EEA business which must adhere to EU GDPR, in reality, UK businesses will need to assist and co-operate with the EEA business to ensure that safeguards are in place in the event that there is no adequacy decision for the UK.
For most smaller to medium-sized businesses, Standard Contractual Clauses (SCCs) will be the most suitable method to ensure that data flows to/from the EEA can continue after the transition period.
SCCs are contractual terms dealing with obligations regarding personal data which both the sender and receiver of the personal data agree to implement.
Such clauses must be drafted extremely carefully to ensure that they act as valid SCCs for the purposes of the EU GDPR. The ICO has published guidance and draft SCCs to help businesses.
Actions you may need to consider:
- Continue to comply with EU GDPR, as EEA countries remain bound by the EU GDPR and the UK GDPR will largely mirror this;
- Map your data flows and identify where you send or receive data to/from businesses in the EEA – this may include where you use cloud-based IT systems which are based in the EEA;
- You don’t need to take additional steps to send personal data to the EEA;
- If you receive personal data from the EEA:
- liaise with EEA businesses you work with and suppliers;
- look at the ICO guidance and agree SCCs with EEA businesses and suppliers where required;
- update your contracts accordingly.
- If you offer goods/services to EEA customers but do not have an EEA office, then you may also need to appoint a European Representative based in the EEA and you will need to implement a written agreement with the individual/corporate entity;
- Review your data protection policies and privacy notices to ensure that they are fit for purpose.
Please note: the above is a brief overview only. For more information regarding data protection obligations, please contact Martha Craven or Thomas Cumming.