Data protection regulations will not change after the UK leaves the EU, but that does not mean there is no impact on organisations from a data protection perspective.
The EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020). However, UK organisations must still comply with the requirements after this point.
The DPA 2018 enacts the EU GDPR’s requirements in UK law. The UK government has also issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK after Brexit. This new regime will be known as ‘the UK GDPR’.
The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review. So, in practical terms, there will be little change to the core data protection principles, rights and obligations found in the GDPR in the immediate future.
As of 1 January 2021, the UK GDPR together with the amended DPA and PECR will comprise the personal data protection legislation in the UK.
With the GDPR brought into UK law as the ‘UK GDPR’ it is very much still a part of our legislative landscape, but the exit from the EU does mean that businesses need to review their data transfer processes and policies in light of the conclusion of the transition period.
The implications for your business are dependent on your data relationship with the EU, as summarised by the ICO (Information Commissioner’s Office):
*The EEA is the EU plus Iceland, Norway and Liechtenstein.
As the UK is no longer an EU member state, it has been reclassified as a ‘third country’.
Under the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:
To date, the Commission has adopted 12 adequacy decisions:
The EU-US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by the ECJ (European Court of Justice) on 16 July 2020 following legal action by the Austrian privacy campaigner Max Schrems.
EU data controllers that use US data processors, and US processors that process the personal data of EU residents, are advised to rely on SCCs or BCRs (as appropriate) until a new code of conduct is approved or an adequacy decision is reached between the EU and US.
However, as detailed in ‘Privacy-shield-is-no-longer-sufficient-protection, SCCs are only valid if the law in the receiving country ensures adequate protection. If the law in that country makes it impossible to meet the obligations (if the personal data is likely to be interfered with by state surveillance, as in the case with the USA), they are not valid and there must be additional safeguards to provide the necessary protection. If such safeguards cannot be put in place, the processing must be suspended.
If the EU and UK do not reach an adequacy decision by 31 December 2020, if you process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.
BCRs are defined in GDPR Article 1: “binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.
Or: Agreements governing transfers between organisations within a corporate group.
In order to get BCRs approved, in accordance with the consistency mechanism of the GDPR, BCRs must:
It is important to note that, after the UK leaves the EU, the ICO will no longer be a supervisory authority under the EU GDPR and will not be able to approve BCRs for transfers of personal data from the EEA to the UK. Such BCRs will, therefore, need to be approved by a supervisory authority within the EU 27.
For most businesses and organisations, SCCs (Standard Contractual Clauses) are the best way to keep data flowing to the UK.
SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.
It is the EEA sender of the personal data which must comply with GDPR rules, but UK receivers may want to assist those senders in complying, to make sure data continues to flow if the transition period ends without adequacy.
You can use the ICO’s SCC Interactive Guidance tool to help you build out the clauses.
If you are a small or medium sized business or third sector organisation, then SCCs are usually your best option. You are unlikely to have a realistic alternative.
If you are a public authority receiving the data from another public authority, you may still use the SCCs, if both you and the sender are able to enter into contracts. However, there are other options for transfers between public authorities. You may be able to enter into your own contract or an administrative arrangement to ensure individuals rights and remedies.
Lead Supervisory authority: If you have offices, branches or other establishments in the EEA, your European activities will be covered by EU law, even at the end of the transition period You can check which European data protection regulator will be your ‘lead supervisory authority’.
European Representatives: If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will still need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. You need to find a provider in the EEA who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors. Read the ICO guidance on European representatives.
Policy documentation: Finally, make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
In light of the upcoming end of the transition period we wanted to provide clarity to our customers on the impact of this change in relation to continued use of our services. Read Our services after the UK leaves the EU.
We are confident that we can help you, which is why we offer a free healthcheck to identify potential issues with your current programme and free advice on things that could be done to improve it.