EU and UK data protection law is now aligned – UK organisations don’t have to make changes to accommodate the Withdrawal Agreement. GDPR applies alongside the Data Protection Act 2018.
There is yet to be a decision on adequacy. The EU has extended their timeframe to deliberate for another six months. In the meantime, there is a ‘bridging mechanism’ which allows continued free flow of data between the EU to the UK until an adequacy decision is made. The use of standard contractual clauses (SSCs) will be essential over the next six months to safeguard against interruption to the free flow of data. You can read more about SSCs in our guide to service companies and Brexit and on the ICO website.
The Withdrawal Agreement, Article 71(1) still applies to legacy personal data (data acquired pre-Brexit) until an adequacy decision is made. You can read more on Intellectual Property rights from .gov.uk, here and a summary of the key changes here.
Gov.uk has also updated their guidance on copyright law. Read it here. There is also further ICO guidance on the Covid-19 recovery period and data protection surrounding how to lawfully and proportionately collect data when carrying out screening measures. Read it here.
At 11pm on the 31st December 2020, the Brexit transition process came to an end and Brexit really did mean Brexit. This had profound implications for data protection law and business’ obligations under it. There are now practical implications related to transfers between the UK and the EEA and other countries outside the EU and action will need to be taken in other areas of data privacy compliance also.
In this guide, we’ll set out the key changes to the data protection framework and what this means for UK businesses providing goods or services in the EU and vice versa.
Understanding the pre-Brexit framework for data protection in the U.K.
To understand the changes taking place now that the transition period has ended, its important to understand the pre-Brexit framework. Previously, there were four key pieces of legislation covering data protection. These were:
- General Data Protection Regulation (2016/679) (the ‘GDPR’)
- E-Privacy directive (2002/58/EC)
- Data Protection Act 2018 (DPA 2018) – which covers law enforcement processing, processing via intelligence services
GDPR, DPA and PECR
Following December 31st 2020, the EU withdrawal Act states that EU derived domestic legislation (PECR) and direct EU legislation (GDPR) will form part of UK domestic law as retained EU law. The UK will have correcting power to correct statutory instruments, so their wordings work in the UK. Ultimately, this means that the post-Brexit situation, on its surface is not too different to the current law on data protection. Businesses are still subject to GDPR (will be changed to UK GDPR) and the DPA 2018, as well as PECR.
EU GDPR still exists and will continue to affect many UK businesses who trade or conduct business with the EU and EEA. Although the UK domestically may choose to depart from its rulings, CJEU decisions decided before the end of the transition period will continue to apply to UK businesses post-Brexit
The EU has intended to replace its privacy directive for the past two years and this has still not come into effect. Consequently, since it hasn't come into effect before the end of the transition period, it will not apply to the UK. But it is likely we will have something domestically similar.
After the transition period...
From 01 January 2021, UK organisations will have to comply with the new UK regime, consisting of PECR, UK GDPR and the DPA 2018. However, if you are a UK organisation that has processing activities in the EU, or you are targeting or monitoring individuals in the EU from the UK, from now on, you’ll be subject to regulatory responsibilities under both regimes.
Dual regulatory exposure
EU GDPR will apply to non-EU businesses which don’t have fixed establishment in the EU, but are offering goods and services or targeting customers and monitoring individuals in the EU. This means that if you’re an organisation in the UK without fixed establishment in the EU, you’ll need to comply with EU GDPR, case law from the CJEU and any national domestic data protection laws of any member states you do business with. This will be in addition to the UK regime.
Ultimately both legislations seem similar practically but in the long term, there may be divergence between them, so make sure you continue to be familiar with both regimes.
What does this mean for businesses?
These changes have knock on effects for UK and non-UK businesses.
You may have to appoint a separate UK Data Protection Officer and have a legal EU representative. The exposure to both regimes will mean that you’ll be at double risk of fines and sanctions from both sides.
Non-UK businesses are subject to very similar changes (but in the reverse!). UK data protection laws will affect businesses without UK establishment and will have to be followed. EU states not caught previously under the DPA 2018, will now have to consider any extra obligations under the Act which go beyond EU GDPR. These businesses will need to consider how to manage the double jeopardy risk for any infringement in data protection.
Non-UK businesses will need to consider these key questions in relation to their compliance obligations:
- Are there specific UK requirements to be met?
- If your non-UK business collects special categories of personal data about individuals in the UK, do you have the policy documents in place to comply with the DPA 2018 requirements?
- Will processing require you to appoint separate DPOs both in the EU and UK or a local representative in the UK?
- Does your non-UK business have procedures to deal with the ICO as well as the lead supervisory authority in the EU?
- Has your non-UK business registered with the ICO?
- Does your non-UK business have procedures in place to deal with dual reporting obligations in the event of a data breach?
What can businesses do whilst we wait for a decision on adequacy?
As tempting as it is to wait until a decision over adequacy is made, there are some preparatory steps that would be prudent to take now. The following steps can be done now without knowing the outcome of the adequacy question.
What is adequacy?
It is the approval from the assessment on whether the current UK legislation provides efficient protection for data transfers in the EU, under EU GDPR.
In the meantime whilst we await a decision, valid data transfer mechanisms will need to be in place from the 31st December 2020. Due to this short time period, businesses may want to put standard contractual clauses into effect as soon as possible.
Either way data mapping will need to be done, not just for data transfers but for other compliance aspects of data protection also.
Data transfer mapping
Understanding how your data flows is very important. You should start establishing now what data transfers are taking place in and out of the UK. This level of data mapping will be a requirement under UK and EU GDPR. Many businesses assume that this level of detail is already recorded somewhere in their processing, but it is often lacking.
Current data transfer information usually only covers transfers out of the EU generally rather than specific transfers in and out of the UK. This data mapping exercise is likely to take some time so you should get started as soon as possible. You’ll need to understand transfers from the UK and a EU GDPR perspective and map transfers from the UK into the EU and vice versa. Mapping should also cover onwards transfers e.g. to other non-EU locations, which are also caught by the EU regime.
Once these data transfers are mapped and understood, the results of the Brexit trade deal can be actioned.
Many business contracts will need to be amended and definitions will need to be updated to replace EU legislation and instead, to cover UK GDPR and UK data protection laws
Records of processing
Now that the the transition period has come to a close, the UK is now a third country for EU GDPR. Likewise, EU member states are now third countries for UK GDPR. Records of processing must include information about records of processing to third countries. Many businesses don’t already do this, so will need to update records to include this in the mapping process.
Because the new regimes are so similar, you probably won’t need separate policies for both for now however, if the regimes start to diverge you may need to reconsider. You should keep this in mind for the foreseeable future.
Internal policies and procedures
How much amendment is needed will differ between businesses and will depend on how much of your policy and procedures are based on or refer to EU regulations and law. You’ll need to review all of them to see if they need amendment.
Under the dual regime you’ll need to consider the process for notifying breaches. If you are a UK business and you currently only inform the ICO, you may need to review this going forward.
Data Protection Officer (DPO) considerations
You’ll need to consider where your DPO is based. If your DPO is in the UK, you might need a separate DPO in the EU who has expert knowledge of EU data protection law in practice. This may be the same person if your UK-based DPO has the required knowledge, but you’ll need to review this as soon as possible.
If you’re established outside EU and you process personal data subjects to offer goods and services or monitor behaviour in the EU, EU GDPR requires you to appoint an EU based representative unless exceptions apply. This means if you’re a UK established business and provide cross-border goods/services into the EU but no longer have an establishment there after transition period, you’ll need to appoint EU representative where at least some of your data subjects are located.
Once the representative is appointed, there are steps to take:
Recommend that a short form appointment document be drawn up to record the arrangement
Information about your representative needs to be readily available or easily accessible to your supervisory authority by publishing clearly on your website. The EU data protection board has indicated that supervisory authorities are able to initiate enforcement action including fines against representatives in the same way as against controllers or processors, but this is still not 100% clear. However, this is something to bear in mind when setting out terms with your representative.
Businesses outside the UK will also need a UK representative under UK GDPR if they are not established in UK but provide goods and services into the UK – this new representative should have been appointed by 31st December 2020 so if you have not done this already, do it as soon as possible. The same considerations will apply as with an EU representative, but instead under UK GDPR.
NB: a representative is not the same as a DPO
Lead supervisory authority
We don’t expect that this regime will extend in UK or that the ICO in the UK will prevail as having a lead supervisory authority role in the UK for EU data processing. This means that businesses that have had the ICO as their lead supervisory authority will need to think about how this ‘one stop shop’ regime will apply to them in the future. You’ll probably have to deal with the ICO and other authorities in all other countries you deal with – you should check this. Once you have undertaken analysis of which lead supervisory authorities you’ll have to deal with, if you think you can still rely on the ‘one stop shop regime’, you should document this clearly for your records.