Data protection and Brexit: The key considerations

This article was originally published by Dundee & Angus Chamber of Commerce.

You may be wondering what Brexit means for data protection. Before the transition period ends on 31 December 2020, organisations would be well advised to take steps to ensure that they remain data protection compliant in the “post-Brexit” world. With that in mind, David Gourlay sets out some key points for businesses to consider before the end of the year.

What will be happening with UK data protection law on 1 January 2021?

Although the UK left the EU on 31 January 2020, we are currently in a transition period which ends on 31 December 2020. From 1 January 2021, the UK will have a consolidated and amended version of the GDPR and the UK Data Protection Act 2018. This will be known as the “UK GDPR”.

What this means is that, at least on 1 January 2021, UK data protection law will be more or less aligned to EU data protection law – so all the obligations organisations have now, such as having a lawful basis for handling personal data and telling people how you will use their data will stay the same. There is, however, no guarantee that UK data protection law will always be aligned.

Tip 1: Review your overseas transfers of personal data

Personal data has continued to flow freely between the EEA and the UK during the transition period (subject, of course, to complying with the GDPR). However, this may change on 1 January 2021 as the UK will be deemed to be a third country for the purposes of EU data protection law. The GDPR restricts the transfer of personal data to third countries unless there is another data protection mechanism in place, such as an adequacy decision granted by the European Commission.

At the time of writing, we await a decision from the European Commission on the adequacy of UK data protection legislation. It is uncertain whether the European Commission will be in a position to give its decision on adequacy before the end of the transition period (or at all). If there is no adequacy decision in favour of the UK before the end of the transition period, this will have implications for your organisation if it imports personal data from the EEA (i.e. the EU, Iceland, Liechtenstein and Norway).

The points below set out a number of scenarios which will play out depending on what personal information your organisation will handle.

“We have no contacts or customers in the EEA.”

If your organisation already handles personal data in line with the GDPR then it is unlikely that you are going to have to do much.

“We send personal data to the EEA.”

Transfers of personal data to the EEA can continue as they are.

“We get personal data from contacts based in the EEA.”

Your organisation will have some work to do to ensure that it can continue to receive personal data. This is because the organisation sending you the personal data must comply with the GDPR. Until such time as the EU deems that the UK provides adequate safeguards for protecting personal data, for EEA-based organisations to be able to send personal data outside the EEA they must ensure appropriate safeguards are in place. In most cases this means that they will require your organisation to enter into what are known as Standard Contractual Clauses which have been approved by the European Commission or put into place alternative safeguards. You may already be using Standard Contractual Clauses to transfer personal data outside the EEA. With the UK leaving the EEA, it will be your turn to be asked by those organisations remaining in the EEA to enter into Standard Contractual Clauses.

“We have an office, branch or other establishment in the EEA” or “We have customers in the EEA.”

In each case your organisation is going to have to comply with UK data protection law and EU data protection law. You may need to appoint a European representative (see below).

“We send personal data outside the EEA”.

The UK will continue to recognise EU-approved transfer mechanisms such as Standard Contractual Clauses. That means that your organisation can continue to use them when transferring personal data outside the EEA.

For those 12 countries which the EU has already recognised as providing adequate safeguards for personal data (Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay), eleven of those countries (Andorra being the exception) will keep unrestricted personal data flows with the UK. Therefore, transfers of personal data to and from these countries can continue as they are.

Tip 2: Review and update your privacy notices

You will need to review and update your privacy notices. Although the bulk of the information provided in your privacy notices is unlikely to change, some changes may be needed. For example:

  • to reflect changes to international transfers, including the fact that the UK is no longer part of the EU or the EEA;
  • to remove references to EU law; and
  • to provide details of your EU representative, if you need one - see below.

You may also have to update other documents, such as your records of processing, data sharing agreements and data protection impact assessments.

Tip 3: Consider whether you need to appoint an EU representative

If your organisation has no office, branch or other establishment in the EEA but offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA, you may be required to appoint a European representative to act on your behalf. Although there are some exceptions to the need to appoint a European representative, this requirement is likely to come as something of an unpleasant surprise but it is important that it is not overlooked.

The representative, which can be an individual, company, or organisation, should be located in a Member State that your organisation operates in and be appointed on the basis of a written mandate, i.e. a services agreement. You will also have to ensure that details of your representative are added to your privacy notices and made available to data protection supervisory bodies, for example via your website.

Doing nothing is unlikely to be an option if your organisation wishes to remain data protection compliant following Brexit. Planning ahead will be key to staying on the right side of compliance.

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… 13/07/2021