We’re rapidly approaching the end of the Brexit transition period which expires on 31 December 2020. During the transition period, the provisions of the EU General Data Protection Regulation (2016/679) (“GDPR”) and Data Protection Act 2018 (“DPA”) continued to apply in the UK (as if we were part of Europe) and organisations processing personal data were advised to continue to follow the existing rules.
It was hoped that the UK would achieve an “adequacy decision” from the European Commission by the end of the transition period, meaning the EU had deemed the UK to have adequate safeguards in place to protect personal data, that align with the EU standards. Unfortunately, in light of the ongoing negotiations and recent developments in case law, it looks like we are not going to receive an adequacy decision by 31 December 2020 so organisations must start to consider the practical steps they should take to ensure they remain compliant with data protection law from 1 January 2021.
The intention is for the GDPR to be implemented into UK law to sit alongside the DPA, however there may be some differences introduced and it will be increasingly important to keep up to date with any proposed changes to ensure your organisation remains compliant. In addition, the EU version of the GDPR may still apply to your business activities if you:
- operate in Europe;
- offer goods or services to individuals in Europe; or
- monitor the behaviour of individuals in Europe.
Likewise, the EU version of the GDPR will still apply to any organisations in Europe who send your organisation personal data, and they may also need assistance to understand how to comply with the new legal regime.
What should you do now?
Review your data flows
It is critical to understand where personal data is being transferred within your organisation and through your supply chain, not only as part of good information governance, but also to ensure that at the end of the transition period your data processing activities remain compliant with applicable laws. Having a clear and updated data flow map will make this process easier.
If you use cloud services as part of your business, it may be worth considering whether the location of your data centres will be impacted after Brexit and whether a UK based model may better suit this changing landscape.
Check your key contracts and legal basis
The UK government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, from the end of the transition period, unless the EU Commission grants the UK an adequacy decision, GDPR third country transfer rules will apply to any data coming from the EEA into the UK. You need to consider the GDPR compliant safeguards you can put in place to ensure that data can continue to flow into the UK such as standard contractual clauses, Binding Corporate Rules or a derogation set out in the legislation. Such transfer mechanisms may also be impacted by the recent Shrems II decision which provides commentary around the adoption of model articles (for more information read: Schemes II: Privacy without a shield and Transferring personal data from the EU to US? Check your legal basis!)
Update privacy notices and policies
Review your privacy information and documentation to identify any changes that need to be made at the end of the transition period to reflect the updated legal framework and any changes implemented in your business in respect of processing personal data.
Consider if a European representative is required
You may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.
Can we help?
Contact our Data Protection Team if you need advice and guidance in preparing your organisation to be ready.