Applicable Laws in the UK
Following the end of the Brexit transition period, the EU General Data Protection Regulation (“GDPR”) has now been incorporated into UK data protection law as the “UK GDPR”. In practice this means that the main principles, obligations and rights that we have become used to under the EU GDPR will remain the same.
The Privacy and Electronic Communications Regulations covering marketing, cookies and electronic communications, as well as the UK Data Protection Act 2018 will continue to apply too. The ICO will remain the independent supervisory body regarding data protection laws in the UK.
The EU GDPR will still apply to businesses operating in Europe offering goods or services to individuals in Europe or monitoring the behaviour of individuals in Europe.
Transfers of Data – no change in practice (for now)
Transfer of data from the EU to the UK are now “restricted transfers”. A transfer mechanism is therefore required to transfer data safely and lawfully in this way. The European Commission is in the process of assessing whether the UK’s data protection framework will offer adequate protection of personal data.
In the meantime however, the Trade and Cooperation Agreement (TCA) signed by the UK and EU in December 2020 implemented a “data bridge” allowing a 4 to 6 month grace period in relation to transfers of personal data from the EU to the UK. This means that in the short term at least, data can continue to flow from the EU to the UK without the need for additional safeguards to be put in place.
The UK has deemed all EEA (European Economic Area)/EU countries as “adequate” as well as the same 12 countries as the European Commission (including New Zealand, Jersey (CI) and Switzerland). This means the free flow of personal data to these countries from the UK can also continue.
The position also remains the same where data is transferred from the UK to “third countries” where an adequacy decision has not been granted. In such circumstances additional safeguards will need to be put in place to protect data being transferred, such as Standard Conditional Clauses (“SCCs”) or Binding Corporate Rules. This will apply to countries such as the US (following the invalidation of the US Privacy Shield), India and South Africa.
For now, European Commission-approved SCCs continue to apply, however they are currently being revised so companies will need to keep this in review.
Data Protection Representatives (DPRs)
DPRs act as a point of contact for lead supervisory authorities and data subjects. They must be established in an EEA member state where the data subjects are based. A DPR is not required if you have a branch, office or establishment within the EEA, you are a public authority or processing is occasional or low risk (no special category or criminal offence data).
If this is not the case, a DPR will now be required for companies based in the UK and offering goods and services to, or monitoring the behaviour of, EEA data subjects.
Change of lead supervisory authority
Post-Brexit, a company with a UK office and also another office in the EEA will have to deal with both the UK ICO (UK supervisory body) and the applicable supervisory body in the EEA too.
Companies with more than one office in the EEA would only need to deal with one lead authority in the EEA. This is usually in the country with the largest customer base.
If you do not have an establishment in the EEA but still offer goods and services to, or monitor the behaviour of, EEA data subjects, you will need to comply with UK data protection laws and the EU GDPR too and you may have to liaise with supervisory authorities in all the locations where you are processing data of those subjects. The DPR will act as lead on behalf of EEA authorities.
Administration Changes to Make Now
• We would recommend that organisations work to update their privacy notices, data processing clauses and internal policies to reflect the change from the EU GDPR to the UK GDPR. This is likely to involve changing references from “EEA”/”EU” to “UK” and from “EU GDPR” to “UK GDPR”.
• Additionally, any data breaches may now need to be notified to both the ICO in the UK as well as the supervisory body in the relevant EU country if applicable too. Data breach management procedures should be updated accordingly.
• Details of your appointed EU and/or UK GDPR representative should be included in your privacy notice, where applicable.
• It remains to be seen whether an adequacy decision will be granted in the UK’s favour by the European Commission. UK surveillance laws may be a stumbling block. It is therefore advisable to start thinking about implementing cross-border personal data transfer agreements incorporating SCCs.
If you would like any further advice on the matters mentioned above or have any other data protection queries, please get in touch.
Madeleine Rhodes email: firstname.lastname@example.org