pexels-humphrey-muleba-1647120.jpg

At 11pm on 31st December, the Brexit Transition Period ends, and the UK formally leaves the EU. 

As of the 1st January 2021, the EU GDPR will not apply and the Data Protection Act 2018 becomes our primary data protection framework. This will be known as the UK GDPR.

Now a Deal is in place, what does Brexit mean for our compliance with the EU GDPR and UK GDPR? – and what does it mean for businesses?

Contact us now and we will explain in simple terms what it means for you.

In simple terms, the UK’s data protection framework – Data Protection Act 2018 - is incorporated into the Withdrawal Act Bill and will be known as the UK GDPR. This is entirely separate from the EU GDPR and means the UK is considered a third country.

The Deal states that for a period of up to six months, the UK has been granted temporary adequacy, so transfers of personal data from the EEA into the UK are permitted and continue to be lawful.  This is on the conditions that no changes are made to the UK’s data protection framework during this period. If changes are made, this temporary adequacy ruling will default and transfers into the UK from the EEA will become unlawful. This also means those who were hoping that the GDPR (or equivalent) would no longer apply, will be disappointed. Data protection is an essential component to every business!

Under Article 27 of the GDPR, UK companies must also appoint an EU Representative if they have substantial trading operations in the EU but no operational base there.   

This also applies to businesses in the EU that offer products and services to individuals in the UK, but have no operational base. 

Details are below, but contact us now to discuss how we can help you remain compliant.

What is Adequacy – and what are the other possible mechanisms?

1. Adequacy

An adequacy decision means the European Commission has formerly accepted that the country processing the personal data does so in a satisfactory manner and in line with the demands of the EU GDPR. 

If a country is granted an adequacy decision, this permits the free transfer of personal data from a non-EEA country to an EEA country (that is bound by the EU GDPR) without having to put additional safeguards in place.

If adequacy is not granted, this renders the movement of personal data from the EEA into the UK as a restricted transfer and unlawful. The sender will assume responsibility for this, which could render them in breach of the EU GDPR – they will need to assess the risk of this independently.

As an adequacy decision has been temporarily granted to the UK, this permits the free - flow of personal data from the EEA to the UK.

2. An appropriate safeguard, such as a Standard Contractual Clause (SCC) being inserted into an existing contract, or a Binding Corporate Rule (BCR) being drafted.

If you believe SCC’s are the most appropriate option for you, then we can prepare these for you – contact us now.

BCR’s are more suited to larger organisation with operations in multiple countries where personal data moves around the Group. These are drafted in co-operation with the Supervisory Authority (ICO in the UK) and take a considerable time to finalise.

If BCR’s are most appropriate for you, we can advise on this and help you prepare for them – contact us now.

3. An Exemption Rule

This can be relied upon in very specific cases and European Data Protection Board (EDPB) guidance must be referred to.

In this case, the sender (in the EEA) must determine whether the exception applies and it should only be used when the transfers are occasional and non-repetitive.

pexels-sid-ali-2028885.jpg

What Does This Mean In Practice – Now We Have A Deal

Sending personal data from the UK to the EEA:

  • After the end of the transition period (1st January 2021), transfers of personal data from the UK to the EEA will be permitted as data is being transferred into an area that is subject to the EU GDPR which is a known acceptable standard. There is no change here.

Receiving personal data from the EEA:

  • For the initial 6 months, there is no change – data can be transferred into the UK has it has done previously.  It is likely this adequacy decision will continue long-term.

    If adequacy is lost after the initial 6-month grace period, then it will be the responsibility of the EEA country sending the data to comply with the EU GDPR and ensure the appropriate mechanisms are in place to cover the transfer process. They are likely to request SCC’s are inserted into existing contracts.

Sending personal data from the UK to a Non-EEA country & where we have an adequacy decision in place:

  • No restrictions as these transfers, as adequacy is in place. Countries are: Andorra, Argentina, Canada (commercial only), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Uruguay, Japan.

Receiving personal data into the UK from a Non-EEA country:

  • As it stands, these transfers may continue. If we lose adequacy long-term, it will be down to the sender to determine their compliance with the EU GDPR. They may make additional demands on the UK-based company to ensure they comply.

Sending & Receiving personal data between the UK and the US:

  • The UK ICO are upholding the decision by the Court of Justice of the European Union (CJEU) that the US Privacy Shield (US data protection framework) is invalid. This means, transfers of personal data between the UK and the US require Standard Contractual Clauses to become lawful.

EU & UK Representatives:

With the UK formally leaving on 1st January 2021 – and a Deal being agreed to signify the end of the Transition Period, under Article 27 of the GDPR, an EU Representative must be appointed when a company in the UK offers goods and services to EEA individuals (or monitors their behaviour) AND there is no an operational branch, office or establishment in the EEA in which a DPO is already present, or can be implemented.  

Privacy Helper can manage this appointment process through our network of EU data protection professionals – contact us now to discuss.

Non-UK businesses that process or monitor the personal data of UK citizens as a core element of their operation must appoint a UK data protection Representative if there is no operational branch, office or establishment in the UK. 

Privacy Helper can provide this service to clients in the EEA via our existing DPO service or contact us now to discuss. 

An EU / UK Representative is NOT required when the company have a base or established office in the EEA or UK, or the processing is considered low risk / occasional (this has yet to be defined by the EDPB.)

The role of the Representative will be to act on behalf of the business on any matters relating to data protection (EU GDPR / UK GDPR) and to deal with the any Supervisory Authorities or data subjects in their jurisdiction.

One-Stop Shop

The GDPR was originally intended to create a one-stop shop environment for European data protection.  

In the event of a question or data breach, a company in the UK would contact the UK ICO regarding the issue.  If it involved data subjects from multiple nationalities, the ICO would co-ordinate any investigation and liaise with the Authorities in those territories.

Following Brexit, the UK ICO will act alone and only investigate data protection matters involving UK individuals.

If EEA data subjects are involved, you will need to contact the appropriate Supervisory Authorities directly. In the event of a data breach, this will mean multiple investigations will take place and, appropriate, you may have multiple enforcement actions imposed, including fines.

Many Supervisory Authorities in the EEA are far stricter than the ICO with enforcement, so be aware your processing activities may become the focus of the European Authorities.

In summary - where does my business sit?

  • If your business is UK based and offers its good or services to predominantly UK customers, then you will need to do very little.

    Consider reviewing your critical suppliers to ensure their operations are UK-based. If they are not UK based, contact them to ask about their Article 27 considerations.

    Contact us now for guidance on this approach.

  • If your business is UK based, but has a significant customer base or supply chain in the EEA, then contact us now.

    We will help you to understand how Brexit will affect your business and the changes you need to implement over the coming months to remain lawful.

  • If you are based in the EEA and have a significant customer base or supply chain in the UK, contact us now.

    We will help you to understand how Brexit will affect your business and how we can provide a UK DPO Service to ensure you remain lawful.

Our skilled team has experience in all areas of data protection and our European network of privacy specialists can provide representation under Article 27 to organisations with activities in both UK and EU territories.

 
 
brexit.png

What is Brexit?

Brexit is the withdrawal of the United Kingdom from the European Union. The transition period comes to an end this year.

 
pound.png

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

 
arrow down.png

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

 

Other services you may be interested in from PRIVACYHELPER

 DPO services

We offer DPO packages to suit your business needs – from a basic advisory service for smaller businesses to integrating ourselves within the operation of larger businesses.

Get started >

 GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

Get started >

 Training

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.

Get started >