We'll make sure you rocketboost your efforts and stay on track
You need confidence that you're equipped for everything
We'll give you everything you need to accelerate your business
Take back more time and money. Do the work you love!
5 min read
Monday 7 Dec 20
EU and UK data protection law is now aligned – UK organisations don’t have to make changes to accommodate the Withdrawal Agreement. GDPR applies alongside the Data Protection Act 2018.
There is yet to be a decision on adequacy. The EU has extended their timeframe to deliberate for another six months. In the meantime, there is a ‘bridging mechanism’ which allows continued free flow of data between the EU to the UK until an adequacy decision is made. The use of standard contractual clauses (SSCs) will be essential over the next six months to safeguard against interruption to the free flow of data. You can read more about SSCs in our guide to service companies and Brexit and on the ICO website.
The Withdrawal Agreement, Article 71(1) still applies to legacy personal data (data acquired pre-Brexit) until an adequacy decision is made. You can read more on Intellectual Property rights from .gov.uk, here and a summary of the key changes here.
Gov.uk has also updated their guidance on copyright law. Read it here. There is also further ICO guidance on the Covid-19 recovery period and data protection surrounding how to lawfully and proportionately collect data when carrying out screening measures. Read it here.
At 11pm on the 31st December 2020, the Brexit transition process came to an end and Brexit really did mean Brexit. This had profound implications for data protection law and business’ obligations under it. There are now practical implications related to transfers between the UK and the EEA and other countries outside the EU and action will need to be taken in other areas of data privacy compliance also.
In this guide, we’ll set out the key changes to the data protection framework and what this means for UK businesses providing goods or services in the EU and vice versa.
To understand the changes taking place now that the transition period has ended, its important to understand the pre-Brexit framework. Previously, there were four key pieces of legislation covering data protection. These were:
Following December 31st 2020, the EU withdrawal Act states that EU derived domestic legislation (PECR) and direct EU legislation (GDPR) will form part of UK domestic law as retained EU law. The UK will have correcting power to correct statutory instruments, so their wordings work in the UK. Ultimately, this means that the post-Brexit situation, on its surface is not too different to the current law on data protection. Businesses are still subject to GDPR (will be changed to UK GDPR) and the DPA 2018, as well as PECR.
EU GDPR still exists and will continue to affect many UK businesses who trade or conduct business with the EU and EEA. Although the UK domestically may choose to depart from its rulings, CJEU decisions decided before the end of the transition period will continue to apply to UK businesses post-Brexit
The EU has intended to replace its privacy directive for the past two years and this has still not come into effect. Consequently, since it hasn't come into effect before the end of the transition period, it will not apply to the UK. But it is likely we will have something domestically similar.
From 01 January 2021, UK organisations will have to comply with the new UK regime, consisting of PECR, UK GDPR and the DPA 2018. However, if you are a UK organisation that has processing activities in the EU, or you are targeting or monitoring individuals in the EU from the UK, from now on, you’ll be subject to regulatory responsibilities under both regimes.
EU GDPR will apply to non-EU businesses which don’t have fixed establishment in the EU, but are offering goods and services or targeting customers and monitoring individuals in the EU. This means that if you’re an organisation in the UK without fixed establishment in the EU, you’ll need to comply with EU GDPR, case law from the CJEU and any national domestic data protection laws of any member states you do business with. This will be in addition to the UK regime.
Ultimately both legislations seem similar practically but in the long term, there may be divergence between them, so make sure you continue to be familiar with both regimes.
These changes have knock on effects for UK and non-UK businesses.
You may have to appoint a separate UK Data Protection Officer and have a legal EU representative. The exposure to both regimes will mean that you’ll be at double risk of fines and sanctions from both sides.
Non-UK businesses are subject to very similar changes (but in the reverse!). UK data protection laws will affect businesses without UK establishment and will have to be followed. EU states not caught previously under the DPA 2018, will now have to consider any extra obligations under the Act which go beyond EU GDPR. These businesses will need to consider how to manage the double jeopardy risk for any infringement in data protection.
Non-UK businesses will need to consider these key questions in relation to their compliance obligations:
As tempting as it is to wait until a decision over adequacy is made, there are some preparatory steps that would be prudent to take now. The following steps can be done now without knowing the outcome of the adequacy question.
It is the approval from the assessment on whether the current UK legislation provides efficient protection for data transfers in the EU, under EU GDPR.
In the meantime whilst we await a decision, valid data transfer mechanisms will need to be in place from the 31st December 2020. Due to this short time period, businesses may want to put standard contractual clauses into effect as soon as possible.
Either way data mapping will need to be done, not just for data transfers but for other compliance aspects of data protection also.
Understanding how your data flows is very important. You should start establishing now what data transfers are taking place in and out of the UK. This level of data mapping will be a requirement under UK and EU GDPR. Many businesses assume that this level of detail is already recorded somewhere in their processing, but it is often lacking.
Current data transfer information usually only covers transfers out of the EU generally rather than specific transfers in and out of the UK. This data mapping exercise is likely to take some time so you should get started as soon as possible. You’ll need to understand transfers from the UK and a EU GDPR perspective and map transfers from the UK into the EU and vice versa. Mapping should also cover onwards transfers e.g. to other non-EU locations, which are also caught by the EU regime.
Once these data transfers are mapped and understood, the results of the Brexit trade deal can be actioned.
Many business contracts will need to be amended and definitions will need to be updated to replace EU legislation and instead, to cover UK GDPR and UK data protection laws
Now that the the transition period has come to a close, the UK is now a third country for EU GDPR. Likewise, EU member states are now third countries for UK GDPR. Records of processing must include information about records of processing to third countries. Many businesses don’t already do this, so will need to update records to include this in the mapping process.
Because the new regimes are so similar, you probably won’t need separate policies for both for now however, if the regimes start to diverge you may need to reconsider. You should keep this in mind for the foreseeable future.
How much amendment is needed will differ between businesses and will depend on how much of your policy and procedures are based on or refer to EU regulations and law. You’ll need to review all of them to see if they need amendment.
Under the dual regime you’ll need to consider the process for notifying breaches. If you are a UK business and you currently only inform the ICO, you may need to review this going forward.
You’ll need to consider where your DPO is based. If your DPO is in the UK, you might need a separate DPO in the EU who has expert knowledge of EU data protection law in practice. This may be the same person if your UK-based DPO has the required knowledge, but you’ll need to review this as soon as possible.
If you’re established outside EU and you process personal data subjects to offer goods and services or monitor behaviour in the EU, EU GDPR requires you to appoint an EU based representative unless exceptions apply. This means if you’re a UK established business and provide cross-border goods/services into the EU but no longer have an establishment there after transition period, you’ll need to appoint EU representative where at least some of your data subjects are located.
Once the representative is appointed, there are steps to take:
Recommend that a short form appointment document be drawn up to record the arrangement
Information about your representative needs to be readily available or easily accessible to your supervisory authority by publishing clearly on your website. The EU data protection board has indicated that supervisory authorities are able to initiate enforcement action including fines against representatives in the same way as against controllers or processors, but this is still not 100% clear. However, this is something to bear in mind when setting out terms with your representative.
Businesses outside the UK will also need a UK representative under UK GDPR if they are not established in UK but provide goods and services into the UK – this new representative should have been appointed by 31st December 2020 so if you have not done this already, do it as soon as possible. The same considerations will apply as with an EU representative, but instead under UK GDPR.
We don’t expect that this regime will extend in UK or that the ICO in the UK will prevail as having a lead supervisory authority role in the UK for EU data processing. This means that businesses that have had the ICO as their lead supervisory authority will need to think about how this ‘one stop shop’ regime will apply to them in the future. You’ll probably have to deal with the ICO and other authorities in all other countries you deal with – you should check this. Once you have undertaken analysis of which lead supervisory authorities you’ll have to deal with, if you think you can still rely on the ‘one stop shop regime’, you should document this clearly for your records.
5 min read
Thursday 13 May 21
Farillio members have full unrestricted access to all our online content.
Step-by-step instructions to guide you through everything you need to achieve your objective including a progress bar
Knowledge when you need it, served up fast in plain English
Expert Q&As with industry professionals to start you on the path
Create, share, edit, e-sign, duplicate legal documents
Easily manage legal documents for your business
Expert answers to legal questions without hefty feesTry for free