COVID-19 has dominated the headlines over the past six months. So much so Brexit seems to have taken a backseat and it hasn’t been the focus or priority for many businesses.
However, we must not forget that the UK left the EU on 31 January 2020 and is currently in a transition period until 31 December 2020.
If your business is based in the UK and the General Data Protection Regulation (“GDPR”) applies to your processing of personal data then there are a number of steps your business should be taking now to ensure compliance at the end of the transition period. With only four months to go it’s time to act.
Will the GDPR still apply at the end of the transition period?
In short yes. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review. The ‘UK GDPR’ will sit alongside an amended version of the Data Protection Act 2018 (“DPA 2018”).
The key principles, rights and obligations will remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK government intends that the UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to offering goods or services to individuals in the UK; or monitoring the behaviour of individuals taking place in the UK.
Will UK businesses still be able to transfer data to and from other countries including Europe?
At the end of the transition period there will be two sets of rules to consider:
· the UK rules on transferring data outwards from the UK; and
· the impact of EU transfer rules on those sending you personal data from outside the UK (including from the EEA) into the UK. In both cases, you can transfer personal data if it is covered by an adequacy decision, an appropriate safeguard or an exception.
How should businesses prepare?
UK businesses are advised to look at what they are doing now and to identify whether they are likely to be involved in any international transfers of personal data after the transition period. In particular, businesses should look to identify and document:
· any transfers made by it from one country to another;
· the volume and type of data being transferred (particular attention should be given to transfers which involve large volumes of data, including special categories of data or criminal convictions and offences data, or which are business-critical);
· whether the transfers are inside or outside the EEA (in relation to data originating in the EEA);
· what legal basis is being relied on for the transfers; and
· what appropriate safeguards are in place (or can be put in place) to govern the transfer. Usually the simplest way to provide an appropriate safeguard for a restricted transfer from the EEA to the UK is to enter into standard contractual clauses with the sender of the personal data.
Will UK businesses need European Representatives?
If your business only has a UK presence but offers goods or services to individuals in the EE, or monitors the behaviour of individuals in the EEA then you will still need to comply with the EU GDPR regarding this processing even after the end of the transition period.
As you will not have a base inside the EEA after the transition period ends, the EU GDPR requires you to appoint a representative in the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located.
You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance. You will also need to give details of your representative to EEA-based individuals whose personal data you are processing. This may be done by including them in your privacy notice.
If your business carries out cross-border processing of personal data, across member state borders, but still within the EEA there are a number of factors to be taken into consideration in advance of the end of the transition period.
What is cross-border processing?
Cross-border processing is the processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
How should businesses prepare?
UK businesses are advised to consider whether they will continue to carry out cross-border processing after the end of the transition period. If you will continue to carry out cross-border processing, and your current lead authority is the ICO, you are advised to review the European Data Protection Board (EDPB) guidance, and consider which other EU and EEA supervisory authority will become lead authority at the end of the transition period (if any).
If you determine that you will no longer carry out cross-border processing after the end of the transition period, but your processing will continue to be within the scope of the EU GDPR (for example, if you are ‘targeting’ individuals in the EEA), this could be a key change for your business and you are advised to consider its impact.
There is also likely to be a regulatory impact on cross-border processing.
These provisions are complex and we recommend you obtain legal advice about how these provisions might apply to your business at the end of the transition period.
Disclaimer: Information made available on this website in any form is for information purposes only. It is not, and should not be taken as legal advice. You should not rely on, or fail to take any action based upon this information. You should obtain your own independent legal advice. Jolliffe & Co LLP will be pleased to discuss with you any legal concerns you have in relation to this subject matter.