Data Protection and Brexit – what steps do you need to take?
Key Contact: Rem Noormohamed
Author: Lowri Morgan-Macdonald
With the end of the transition period (31 December 2020) fast approaching, you should start considering what steps you may need to take to continue to comply with the data protection legislation.
What will happen to the GDPR?
The General Data Protection Regulation (GDPR) is a piece of EU legislation and will therefore no longer apply to the UK at the end of the transition period. However, the Data Protection Act 2018 which supplements the GDPR in the UK will continue to apply and the intention is for the government to incorporate the provisions of the GDPR directly into UK law from the end of the transition period to create a ‘UK GDPR’. The principles, rights and obligations will therefore largely mirror the current position under the GDPR.
The GDPR may also still apply directly to you if you operate in the EU, offer goods or services to individuals in the EU, or monitor the behaviour of individuals in the EU. You will therefore need to ensure that you continue to comply with the GDPR in such circumstances.
Will we still be able to transfer personal data to and from the EU?
Under the GDPR, personal data can only be transferred outside the European Economic Area (the EEA) (i.e. the EU plus Iceland, Norway and Liechtenstein) if the transfer is covered by:
- An adequacy decision (i.e. where the European Commission has determined that the legal framework in the territory to which the data is to be transferred provides adequate protection for the personal data of individuals);
- Appropriate safeguards – these include the parties entering into standard contractual clauses (SCCs) adopted by the European Commission in relation to such transfers; or
- One of the limited exceptions – these include explicit consent, or where the transfer is necessary for important reasons of public interest or to protect vital interests.
Transfers from the UK to the EEA will not be restricted. You can therefore continue to transfer personal data to the EEA from the UK without taking any additional steps.
The UK government are currently seeking an adequacy decision from the European Commission to allow the free flow of personal data from the EEA to the UK following the end of the transition period. However, if an adequacy decision is not obtained before the end of the transition period, you will need to consider what other safeguards you may be able to put in place to enable you to continue with transfers of personal data from the EEA to the UK.
The most straightforward mechanism to adopt, in order to continue with any such transfers, is likely to be to enter into SCCs with the other party covering such transfers. These would be entered into between the EEA controller and the UK controller or processor and cannot be amended (except to add business-related clauses which do not contradict the SCCs). The SCCs place obligations on the data exporter and importer and also set out rights for the individuals whose data is transferred.
If you are based in the UK and do not have a branch, office or other establishment in any other EEA state, but you either offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you may need to appoint a European representative.
The representative will be authorised to act on your behalf and liaise with any supervisory authorities or data subjects in relation to your GDPR compliance. They can be an individual, company or organisation and must be established in an EEA state where some of the individuals whose personal data you are processing for such purposes are located.
There are some limited exceptions to the requirement to appoint a European Representative, namely if:
- You are a public authority; or
- Your processing is only occasional, of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.
What else will I need to consider?
You should also review your data protection documentation and policies and make any amendments necessary to reflect the position after the end of the transition period. For example, you may need to update your privacy policies or notices, data protection impact assessments and other documents to refer to UK law rather than EU law, any changes to international transfers and the appointment of an EU representative (if required).
For more information or advice on the steps that you need to take, please contact [email protected].