The Brexit transition period ends on 31 December, which means that from then the UK will no longer be treated as part of the EU for data protection purposes. In this article we look at the key data protection compliance implications for businesses.
Activities within the UK
If you are a UK based business with UK based customers, there is no real change needed from your existing compliance levels, as the UK is adopting the EU’s General Data Protection Regulation (the EU GDPR) into its domestic law from 1 January 2021. The changes that you will need to make will be minimal. For example, your privacy terms issued to customers and employees will need to take out any references to the EU GDPR and simply refer to applicable UK legislation, primarily the UK Data Protection Act 2018.
International activities by UK organisations
If you are a UK headquartered business selling to consumers in the UK and in the EU either online or through retail stores operated by subsidiary companies in the EU the position is more complex.
For customers based in the EU, they will continue to benefit from the protection of the EU GDPR and that is what the UK parent must comply with in relation to them. For UK based customers dealing with the UK parent, the UK DPA will apply to them. For UK customers dealing with the EU subsidiaries, the EU GDPR will apply.
Because you are dealing from the UK with customers in the rest of Europe (through eg online sales), you will need to appoint an EU based representative to be a point of contact for those customers and for EU based regulators.
When you appoint an EU representative you will need to explain who they are and how to contact them in the privacy notices issued to your affected customers.
Sharing and transferring personal data
You will need to consider how your EU subsidiaries can share personal data with you. This is most likely to be data about customers or employees, and “sharing” personal data can be as simple as the UK head office accessing remotely the personal data about customers or employees held by its EU subsidiaries.
The reason to consider this is because the UK becomes a “third country” from 1 January 2021. While this would not affect your ability to transfer data into the EU, your EU subsidiaries will need to put in
place an EU approved “gateway” allowing transfers from the EU to the UK, starting from 1 January 2021. This is most likely to be achieved by Standard Contractual Clauses (SCC’s).
It is important to update your records of processing to set out the new arrangements you have put in place to deal with the impact of the end of the Brexit transition period. A Data Protection Impact Assessment (DPIA) or other means to record the basis of your risk and compliance assessment, made in respect of international transfers, is advisable.
For further information on data protection compliance, please contact Claire Sumner.
Senior Commercial Associate
Jolliffe & Co LLP
Tel: 01244 310 022
Disclaimer: Information made available on this website in any form is for information purposes only. It is not, and should not be taken as legal advice. You should not rely on, or fail to take any action based upon this information. You should obtain your own independent legal advice. Jolliffe & Co LLP will be pleased to discuss with you any legal concerns you have in relation to this subject matter.