What Brexit means for UK Data Protection

When the UK transition period for leaving the EU finishes on 31 December 2020, the EU General Data Protection Regulation (GDPR) will not apply in the same way that it has done so. At 11pm on 31 Dec 2020, the EU GDPR will be replaced with UK GDPR.

Under the new UK GDPR, the main principles, obligations and rights of the EU GDPR will stay the same. There will however be some key changes, crucially to international transfers and data protection representatives.

International Transfer of Data
Data transfers from UK to EEA
• After the transition period, the transfer of data from the UK the EEA will be a restricted transfer.
• An adequacy decision has been made in the UK in favour of EEA countries which means that transfers from the UK to the EU are permitted with no changes or further safeguards required.

Data Transfers from EEA to UK
• For organisations sending data to the UK from the EEA or receiving data from the EEA in the UK, the EU GDPR will continue to apply. This means the transfer will be restricted requiring an adequacy decision to be in place or another safeguard to protect the data.
• The UK is currently going through an adequacy decision assessment by the European Commission.
• If granted, an EEA organisation will be able to send data to the UK without extra safeguards.
• If no adequacy decision is granted in favour of the UK, other safeguards will be required.
• Such safeguards include Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCR), an approved Code of Conduct or schemes such a privacy shield to be in place. Commission-approved SCCs are often the most popular.
• Existing EU-approved SCCs will be recognised after the transition period as an appropriate safeguard but will need to be amended to have the UK described as a “third country”.
• UK specific SCCs are expected in the new year.
• For companies with existing BCRs, these need to be re-authorised by the UK ICO under the UK GDPR before 30 June 2021.

Data Transfers from UK to non-EEA countries
• This is still a restricted transfer, as it is now.
• UK companies can rely on the same mechanisms in place under the EU GDPR (existing adequacy decision or appropriate safeguards, as listed above).

Data Transfers from non-EEA countries to UK
• The UK is working with non-EEA counties and territories to make specific arrangements for transfers to the UK.
• If this is not achieved, it is for the sender of the data to ensure compliance with their local data protection legislation but the UK organisation should check to see if it also needs to comply with the local laws of the sender. Once the data is received the company must ensure it complies with the UK GDPR.

Data Protection Representatives (DPRs)
DPRs act as a point of contact for lead supervisory authorities and data subjects. They must be established in an EEA member state where the data subjects are based.

A DPR is not required if you have a branch, office or establishment within the EEA, you are a public authority or processing is occasional or low risk (no special category or criminal offence data).

If this is not the case, after the transition period, a DPR will be required if a company is based in the UK and offering goods and services to or monitoring behavior of EEA data subjects.

Change of lead supervisory authority
After the transition period, a company with a UK office and also another office in the EEA will have to deal with both the UK ICO (supervisory body) and the applicable supervisory body in the EEA too.

If you have more than one office in the EEA, you would only need to deal with one lead authority in the EEA. This is usually in the country where you have the largest customer base.

If you do not have an establishment in the EEA but still offer goods and services to or monitor the behavior of EEA data subjects you will need to comply with UK data protection laws and the EU GDPR too and you may have to liaise with supervisory authorities in all the locations where you are processing data of those subjects. The DPR will act as lead on behalf of EEA authorities.

Final points to note
• The Privacy and Electronic Communications Regulations and UK Data Protection Act 2018 will remain in place and continue to apply in the UK.
• It is still a requirement to have a data protection officer (if currently required). The DPO can cover both the UK and EEA, provided they are easily accessible by all establishments in both places
• The ICO will still be the regulator in the UK for all data protection matters.
• There is a transition period but UK companies should work to update existing documentation to reflect the new legislation as soon as possible (contracts, policies, SCCs, etc.). All references to the EU GDPR should be replaced with the UK GDPR.

If you would like any further advice on the matters mentioned above or have any other data protection queries, please get in touch.

Madeleine Rhodes mrhodes@redfernlegal.com