New Year, New Data Rules?
Data protection post-Brexit transition – how it impacts your organisation
One of the key issues surrounding Brexit was how UK data protection would be managed after leaving the EU. Following the end of the transition period on 31 December 2020, we outline what this means for your organisation.
Does the GDPR still apply in the UK?
While the EU GDPR no longer applies, the new ‘UK GDPR’ scheme has now been implemented. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.
Broadly, if you complied with the EU GDPR, it is likely you will comply with the UK version.
Importantly though, if your organisation works with European organisations and processes the data of EU residents, then the EU GDPR will still apply.
What is the six-month adequacy ‘bridge’?
The UK-EU Trade and Cooperation Agreement creates a ‘bridging mechanism’ until adequacy for the UK is agreed by the EU. This is effectively a ‘grace period’ which means that, until adequacy has been adopted, there will continue to be a free flow of data between the European Economic Area (EEA) and UK.
Guidance from the Information Commissioner’s Office (ICO) states: “Unless the EU Commission makes an adequacy decision before the bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what safeguards you can put in place to ensure that data can continue to flow into the UK. If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.”
What should my organisation do now?
The implementation of the UK GDPR is an opportunity to review how your data is currently managed.
For us, there are several areas to consider:
1. Know your data processing activities – This is important so your organisation can fully understand your data relationships with third parties outside of the UK. This information can then be used to map out your global data residency – it’s not just UK and EU GDPR that needs to be considered here, you also need to take into account data privacy laws from other nations. You should then investigate whether the data residency in the EU requires you to have an EU country representative.
2. Assess third parties – Third parties - and the contracts you hold with them - are also an important area to review. You should impact assess all third parties you work with, including a full review of the data protection clauses in their contracts. This should include locality i.e. whether it is an adequate country vs non adequate (this should also be added this to your tendering process), and appropriate contract structure, including the use of Standard Contract Clauses (SCCs).
3. Review contracts and procedures – You should ensure your contracts and policies are updated to reflect that the UK is no longer a member of the EU. It is also likely that any organisations who you partner with in the EU will update their contracts with you to include the SCCs – be prepared for this including any legal reviews that will need to take place. Although these clauses cannot be amended, they may contain further detail on processing activities and obligations.
In addition, it is good practice to keep all of your contracts in one place ready to be reviewed. We have worked with many companies who manage contracts at a departmental level – this makes keeping on top of and preparing for adaptations more difficult to manage.
4. Consider Binding Corporate Rules - Companies with operations outside the UK should consider Binding Corporate Rules (BCRs), which are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA. They help you to avoid having to approach each individual data protection authority separately.
5. Be transparent - When it comes to operational considerations, a key factor is to be transparent on the data processing activities that include third parties outside of the UK. This should be included in Privacy Notices and on data capture forms, in the form of privacy statements.
6. Keep up to date with the DPA - You should also maintain a strong and ongoing knowledge of the Data Protection Act, and UK GDPR, including any new and emerging case law. Always take legal advice if you are unsure.
7. Implement ongoing data protection impact assessments (DPIAs) – to ensure your data protection obligations are being met, and to keep track of the data residency and contractual statuses across your systems, ongoing DPIA assessments will be a key tool.
In conclusion, while the UK GDPR is very similar to the EU GDPR, there will be changes to how data is managed and transferred with the EU. Organisations should take the time during the six-month adequacy bridging mechanism to ensure their data protection policies, contracts and procedures are fully compliance with the amended rules.
Some additional useful resources about what the Withdrawal Agreement means for your business can be on the Government and ICO websites.
The Compliance Space can also help you effectively manage your data protection obligations and GDPR alignment – find out how by booking a demo.