" . . . extremely helpful and knowledgeable . . ."
Understanding GDPR after 31 December 2020
Although not necessarily the first thought on peoples’ minds as the New Year came in, 31 December 2020 marked the end of the Brexit transition period. This meant that, although the UK left the EU on 31 January 2020, it was treated as still being a member of the customs union and single market throughout the transition period. This allowed certain arrangements to remain in place while the new relationship between the UK and EU was negotiated.
The end of the transition period has brought new rules for travel/movement and doing business with Europe. Amongst many other areas of business activity affected, cross-border data flows (particularly inward) require consideration if you deal with European customers or operate within the EEA.
- The EU GDPR is retained as part of UK law following the end of the transition period but the UK’s legislation (renamed the “UK GDPR”) now stands separately and may be reviewed or amended by the UK independently (in practice, it is unlikely that the UK will diverge significantly from European data protection laws – at least for the foreseeable future).
- The key principles, rights and obligations under GDPR with which we have been familiar since at least 2018 will continue to apply under the new UK GDPR, however there are changes in the rules relating to transfers of personal data between the UK and the EEA.
- The UK has become a ‘third’ country for the purposes of data exports from the EU and additional steps may be required for European businesses to make compliant transfers; this is why the UK is seeking an “adequacy” decision from the EU Commission. An adequacy decision would mean the UK is viewed as a ‘safe’ place to transfer data to and would avoid the need for additional safeguards and red tape!
- As part of the recent Brexit deal, it has been agreed that no restrictions on data transfers to the UK will apply for at least 4 months and up to six months. If an adequacy decision is not reached by the end of this data ‘bridge’, other measures to make lawful transfers will need to be put in place eg use of standard contractual clauses. Note that the timescale for any adequacy decision to be made is uncertain.
- Businesses and organisations are advised to use the breathing space granted by the data bridge to make preparations eg identify data flows from the EU and, possibly, put in place standard contractual clauses with the sender(s) of the personal data they process. This may be advisable particularly in relation to business-critical, large volume ‘sensitive’ data where certainty is desired and the implications of not being able to make lawful transfers are most severe.
- Now that the transition period has ended, data controllers should also amend privacy information and policies where reference is made to overseas transfers to reflect that the UK is no longer part of the EU.
- The UK Information Commissioner (ICO) has issued new guidance and provided resources to help data controllers ‘keep data flowing’ from 1 January recognising that, particularly for SMEs, understanding the impact of Brexit and ensuring their processing continues to be compliant is challenging without dedicated ‘in-house’ expertise. (see: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/).
- There are also changes affecting UK data controllers who carry out cross-border processing (from more than one establishment in the UK and Europe and/or who ‘target’ individuals within the EEA) regarding their interaction with regulators. Again, further information is available via the ICO’s website.
In summary, the advice to businesses is essentially:
of the changes triggered by the end of the transition period relating to GDPR.
inward EU data flows and prepare in case an adequacy decision is not forthcoming from the EU.
for developments relating to the UK’s adequacy status and, as necessary, make use of the ICO’s latest guidance and interactive tools to ensure lawful data transfers.
Call me to discuss how I can help your business get UK GDPR compliant. I will be pleased to help.
Katherine Sheerin | Associate Solicitor | Quantrills | 01473 688100