Brexit and the GDPR
(as at November 2020)
The UK has left the EU and the transition period is set to end on 31st December 2020. Up until then all UK organisations are bound by the General Data Protection Regulation (GDPR). So, what happens after 31st December 2020?
After the end of the transition period the GDPR will be brought into UK law under what’s known as the UK GDPR, which will be supplemented by the Data Protection Act 2018. This UK legislation closely mirrors the GDPR with some changes, especially around transfers of data between the UK and the EU/EAA. UK organisations that have an establishment in the EU or offer goods or services to, or monitor the behaviour of, EU individuals will continue to be bound by the EU GDPR, and may need to review their documentation.
Adequacy – In order to protect individuals’ personal data when it is transferred from the EU to a ‘third’ country i.e. a country outside of the EU, the European Commission looks at the protections offered by that country, in particular its data protection legislation as well as the way that government treats data privacy. If the Commission is satisfied that a third country offers sufficient protection it awards what is known as an adequacy decision. Once an adequacy decision is awarded, transfers can go ahead unhindered, as if they were being transferred within the EU. Once the transition period ends on 31st December 2020, the UK will become a third country, and how data can be transferred from the EU to the UK will depend upon whether the Commission awards an adequacy decision to the UK. This is by no means a forgone conclusion. Discussions are under way but the trade negotiations as well as EU concerns over UK government surveillance leaves a question mark over the likelihood of adequacy being achieved, especially in the short-term. In the absence of such a decision, organisations will need to find different lawful bases for dealing with their EU business, such as standard contract clauses, binding corporate rules etc.
The transfer of personal data from the UK to EU countries can continue as normal after 31st December 2020, because the UK has in effect given the EU an adequacy decision.
EU Representatives – organisations offering goods or services or monitoring the behaviour of individuals in the EU and that have no offices or branches in the EU will, after 31st December 2020, be required to appoint a representative in the EU. Organisations offering products or services to more than one EU country will not need to appoint a representative in each country but normally would to do so in the country where most activity takes place. Contact details for the representative must be included in the organisation’s privacy notice and a written agreement must be in place with the representative detailing the representative’s responsibilities. The representative will be the main point of contact for the local data protection authority/authorities as well as data subjects.
Under the UK GDPR it is intended that organisations outside of the UK that are bound by the UK GDPR will be required to appoint a representative in the UK.
Standard Contract Clauses – traditionally, organisations transferring personal data to countries outside the EEA and where no adequacy decision is in place, have been able to use approved standard contract clauses (SCCs) as a lawful basis for such transfers. The recent Schrems 2 ruling by the Court of Justice of the European Union (CJEU) agreed that SCCs are still valid, but that in order to rely on them organisations need to carry out (on a case by case basis) a risk assessment and consider implementing additional safeguards. SCCs place strict obligations on the parties and in some cases risk assessments may well throw up issues that give cause for concern. The CJEU also put pressure on data protection authorities (in our case the ICO) to be proactive in ensuring organisations comply. Particular difficulties may be encountered by organisations transferring to the USA because any risk assessment will reveal the very issues that led to the demise of the Privacy Shield (see separate blog on this).
There is a plan to introduce new, updated SCCs at some point but our advice in the meantime is to put SCCs in place, carry out the risk assessment and apply whatever safeguards you can, such as encryption, pseudonymisation.
If you have any questions or need any help with your data protection compliance, or if you are seeking a Data Protection Officer, please contact us for an initial chat. Working with our partners Right Cue Assurance, SIRE Technology and Clarkslegal we are additionally able to offer a complete end-to-end solution including cyber security, secure cloud hosting and backup, network security, IASME compliance, ISO 27001, legal advice and documentation etc.
Nick Richards CIPP/E