This article was originally published by Dundee & Angus Chamber of Commerce.
You may be wondering what Brexit means for data protection. Before the transition period ends on 31 December 2020, organisations would be well advised to take steps to ensure that they remain data protection compliant in the “post-Brexit” world. With that in mind, David Gourlay sets out some key points for businesses to consider before the end of the year.
What will be happening with UK data protection law on 1 January 2021?
Although the UK left the EU on 31 January 2020, we are currently in a transition period which ends on 31 December 2020. From 1 January 2021, the UK will have a consolidated and amended version of the GDPR and the UK Data Protection Act 2018. This will be known as the “UK GDPR”.
What this means is that, at least on 1 January 2021, UK data protection law will be more or less aligned to EU data protection law – so all the obligations organisations have now, such as having a lawful basis for handling personal data and telling people how you will use their data will stay the same. There is, however, no guarantee that UK data protection law will always be aligned.
Tip 1: Review your overseas transfers of personal data
Personal data has continued to flow freely between the EEA and the UK during the transition period (subject, of course, to complying with the GDPR). However, this may change on 1 January 2021 as the UK will be deemed to be a third country for the purposes of EU data protection law. The GDPR restricts the transfer of personal data to third countries unless there is another data protection mechanism in place, such as an adequacy decision granted by the European Commission.
At the time of writing, we await a decision from the European Commission on the adequacy of UK data protection legislation. It is uncertain whether the European Commission will be in a position to give its decision on adequacy before the end of the transition period (or at all). If there is no adequacy decision in favour of the UK before the end of the transition period, this will have implications for your organisation if it imports personal data from the EEA (i.e. the EU, Iceland, Liechtenstein and Norway).
The points below set out a number of scenarios which will play out depending on what personal information your organisation will handle.
“We have no contacts or customers in the EEA.”
If your organisation already handles personal data in line with the GDPR then it is unlikely that you are going to have to do much.
“We send personal data to the EEA.”
Transfers of personal data to the EEA can continue as they are.
“We get personal data from contacts based in the EEA.”
Your organisation will have some work to do to ensure that it can continue to receive personal data. This is because the organisation sending you the personal data must comply with the GDPR. Until such time as the EU deems that the UK provides adequate safeguards for protecting personal data, for EEA-based organisations to be able to send personal data outside the EEA they must ensure appropriate safeguards are in place. In most cases this means that they will require your organisation to enter into what are known as Standard Contractual Clauses which have been approved by the European Commission or put into place alternative safeguards. You may already be using Standard Contractual Clauses to transfer personal data outside the EEA. With the UK leaving the EEA, it will be your turn to be asked by those organisations remaining in the EEA to enter into Standard Contractual Clauses.
“We have an office, branch or other establishment in the EEA” or “We have customers in the EEA.”
In each case your organisation is going to have to comply with UK data protection law and EU data protection law. You may need to appoint a European representative (see below).
“We send personal data outside the EEA”.
The UK will continue to recognise EU-approved transfer mechanisms such as Standard Contractual Clauses. That means that your organisation can continue to use them when transferring personal data outside the EEA.
For those 12 countries which the EU has already recognised as providing adequate safeguards for personal data (Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay), eleven of those countries (Andorra being the exception) will keep unrestricted personal data flows with the UK. Therefore, transfers of personal data to and from these countries can continue as they are.
Tip 2: Review and update your privacy notices
You will need to review and update your privacy notices. Although the bulk of the information provided in your privacy notices is unlikely to change, some changes may be needed. For example:
- to reflect changes to international transfers, including the fact that the UK is no longer part of the EU or the EEA;
- to remove references to EU law; and
- to provide details of your EU representative, if you need one - see below.
You may also have to update other documents, such as your records of processing, data sharing agreements and data protection impact assessments.
Tip 3: Consider whether you need to appoint an EU representative
If your organisation has no office, branch or other establishment in the EEA but offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA, you may be required to appoint a European representative to act on your behalf. Although there are some exceptions to the need to appoint a European representative, this requirement is likely to come as something of an unpleasant surprise but it is important that it is not overlooked.
The representative, which can be an individual, company, or organisation, should be located in a Member State that your organisation operates in and be appointed on the basis of a written mandate, i.e. a services agreement. You will also have to ensure that details of your representative are added to your privacy notices and made available to data protection supervisory bodies, for example via your website.
Doing nothing is unlikely to be an option if your organisation wishes to remain data protection compliant following Brexit. Planning ahead will be key to staying on the right side of compliance.