It’s just over two and a half years since major changes were introduced to the data protection legal landscape in the UK with the coming into force of the GDPR.
But with the Brexit transition period now at an end, the GDPR, as an EU Regulation, is no longer automatically part of UK law. The UK is, however, adopting it into UK national law, meaning that from 1 January 2021 the UK GDPR and the EU GDPR will co-exist separately. However further major changes now affect every business in the UK.
This guide looks at the steps you should take to make sure your business is ready to manage its personal data in a post brexit world.
Which data protection laws apply from 1 January 2021?
The European Commission has been considering whether the UK’s laws are adequate to protect the privacy and data protection rights of EU citizens. It had not issued such a decision (known as an Adequacy Decision) by 1 January 2021 and so from that date there have been three overlapping regimes:
A slightly expanded version of the GDPR which will apply for data processed in the UK or by an EU (or other international) business targeting customers in the UK. It will include aspects not covered by the basic GDPR, such as processing for law enforcement purposes.
This will apply, for example, if a business targets EU customers or has a base in the EU.
A ‘frozen version’ of the EU GDP which will apply as a safety net for EU citizens to personal data processed by UK businesses as at the last day of the transition period (31 December 2020). This version will last until an Adequacy Decision is issued.
Some UK businesses will potentially be subject to all three of the data protection regimes. These include UK businesses which:
- have operations in the EU
- sell to customers in the EU
- or monitor EU citizens through their website browsing activities.
Will there be much difference between the regimes?
Not to start with. But it’s very possible that over time the EU GDPR and the UK GDPR will diverge. Particularly since the UK courts are no longer obliged to follow European Court of Justice decisions after the end of the transition period.
What do you need to do?
Will there be any effect on cross-border data transfers?
Yes. Another consequence of not being granted an Adequacy Decision.
Under the EU GDPR, transfers of data around the EU can be done freely but transfers to so-called ‘third countries’ can only take place if appropriate safeguards are put in place.
The UK would have become a “third country” on 1 January 2021. A grace period was however agreed in the EU-UK trade deal concluded on Christmas Eve 2020 so that has not (yet) happened (see below). If the UK becomes a “third country” then, from that point, without an Adequacy Decision personal data can’t be transferred from the European Economic Area (the EU plus Iceland, Liechtenstein and Norway) to the UK without appropriate safeguards.
Normally, this will be done by the exporting company and the importing company putting the EU Standard Contractual Clauses (SCCs) in place between them.
And traditionally, this has been straightforward.
But things have been made a little more complicated by a recent decision of the ECJ, which, as well as invalidating the Privacy Shield, made clear that if you want to rely on the SCCs you need to make sure they’re adequate to protect individuals’ data under the laws of the third country.
How do you do that? By supplementing the SCCs to cover off any concerns. Because whilst you can supplement the clauses, you’re not allowed to amend them.
Remember also that data being accessed via a computer outside the UK counts as a cross-border transfer – even if the data is sitting on a server in the UK.
Fortunately, the EU-UK trade deal signed on Christmas Eve 2020 spared UK businesses from the need to have the necessary safeguards in place from 1 January 2021. A term of the deal postponed by up to six months (four plus a possible two more) the point at which the EU will regard the UK as a third country, subject to certain conditions. Although nothing is certain, it is possible that the breathing space has been agreed because the European Commission believes it will be able to issue the UK with an Adequacy Decision in the next few months before the grace period expires.
If you want to transfer personal data from the UK to the EEA, the UK Government has already confirmed it will treat the EEA as having adequate protection laws, though it will be keeping that position under review.
How to ensure you are ready for the cross-border transfer changes?
While we wait to discover whether an Adequacy Decision will be granted, you should:
- Review your key international data flows and record them in your Article 30 records of processing.
- Prioritise them, in terms of volume or key data or sensitive special category data that’s flowing, and tackle the most important first.
- Prepare ready-to-use versions of the SCCs so that cross-border data transfers are not disrupted if the grace period ends at the end of April (or June if it is extended) without an Adequacy Decision for the UK. Don’t forget that SCCs will be needed even for transfers from an EEA company to a group company in the UK.
- Identify your processors in the EU (e.g. cloud, HR, payroll, database service providers). And ask them what appropriate safeguards they propose to use.
- Consider how to deal with transfers by your EU processors to you as controller in the UK.
- Because as things stand at the beginning of 2021, the only approved SCCs which currently exist are:
- from controllers to processors, or
- from controllers to another controller.
- Because as things stand at the beginning of 2021, the only approved SCCs which currently exist are:
Not the other way round.
However, on 12 November 2020 the European Data Protection Board published some brand new SCCs which, if adopted, will include clauses that can be used for processor-to-controller and processor-to-processor transfers.
The six months breathing space will pass quickly. Be ready to put the new SCCs in place (once they’re adopted) to cover any transfers of personal data from the EEA to the UK after the end of the grace period if no Adequacy Decision has been issued to the UK by then. An Adequacy Decision is not a foregone conclusion: the European Commission has previously expressed reservations about whether some of the UK Government’s legal powers to require access to personal data for national security reasons are compatible with EU rights to data protection, and also whether the UK’s participation in the Five Eyes Intelligence Network could mean EU data finds its way to the USA.
Remember that you will still also need SCCs (or another adequate safeguard) for transfers of personal data from the UK to non-EEA countries which do not have an Adequacy Decision (such as the US).
It’s expected that the previous SCCs will be repealed with a one-year transition period. So be prepared for a major contract-updating exercise for any SCCs in the old format.
What other practical steps should you be undertaking going forward?
- Identify whether you need to appoint an EU Representative:
- If you don’t have any establishment or permanent base in the EU but you offer goods or services to individuals in the EU or monitor them, then you’ll need to appoint an EU Representative in an EU Member state where you target customers.
- You appoint the EU Representative in writing and their job will be to liaise with the local supervisory authority, for example if there is a data breach.
- You don’t need to appoint a Representative, however, if your processing is only occasional or low risk and if it doesn’t include special category data.
- If you do need an EU Representative, Shakespeare Martineau’s membership of the PrivacyRules network means we can help you find the right one.
- If you trade in multiple EU countries, work out which EU Supervisory Authority will be your lead Supervisory Authority for all places in the EU. That will allow all your bases in the EU to benefit from the EU’s ‘one-stop shop’ in terms of supervisory purposes under the EU GDPR.
- If, however, you don’t have any bases in the EU but you do business there, you probably won’t be able to benefit from the EU’s one-stop shop and will need to think carefully about the implications of the ICO ceasing to be the Supervisory Authority for EU GDPR purposes.
- If, for example, there’s a data breach affecting the data of EU individuals in multiple EU jurisdictions, you may well need to make notifications to the ICO as well as to every one of those EU Supervisory Authorities where customers’ data has been affected.
- So, update your data breach notification processes to take this into account.
- Review and update your privacy notice, contracts and other documentation.
- Refer to the correct version of the GDPR. And you’ll probably need to update the terminology. For example, references to transfers outside of the EEA will need to be changed to transfer out of the UK.
- Adjust what’s said about national data transfers. Remove references to the Privacy Shield and put in the right wording about SCCs and how you use them.
- Change references to transfers outside of the EEA to transfers out of the UK.
- And identify your EU Representative, if you’re required to have one. If you have establishments in the EU, you’ll probably need to list the relevant Supervisory Authorities that apply.
- Finally, consider refreshing the training for your staff so they understand how the new regime works.
We can help
For further guidance on how you can prepare for the personal data changes post-Brexit, contact Kim Walker or another member of the Commercial & IP team.
Our Brexit & Beyond hub contains the latest news, articles, briefings, commentary and webinars concerning the legal implications of Brexit, ensuring you have all the information to drive your strategic thinking. Now and in the future.
And our free legal helpline offers bespoke guidance on a range of subjects, from employment and general business matters through to director’s responsibilities, insolvency, restructuring, funding and disputes. We also have a team of experts on hand for any queries on family and private matters too. Available from 10am–12pm Monday to Friday, call 0800 689 4064.