YOUR COMPLIANCE MATTERS:         Data Protection and Brexit

Action required:       Check what personal data is collected and held to comply with new laws.

The UK left the EU on 31 January 2020 with a Withdrawal Agreement and entered a transition period which is due to operate until 31 December 2020.

So, from 01 January 2021, a number of things will change. We have recently pointed firms to a couple of areas affected, “Consumer Rights” and “Passporting”. Another one is Data Protection.

Data protection law in the UK before 31 December 2020:

·      UK organisations that process personal data are currently bound by two laws; the EU GDPR and the UK DPA (Data Protection Act) 2018;

·      Both laws continue to apply until the end of the transition period.

Data protection law after 31 December 2020:

·      The EU GDPR will no longer apply directly in the UK at the end of the transition period;

·      However, UK organisations must still comply with its requirements after this point;

·      First, the DPA 2018 enacts the EU GDPR’s requirements in UK law;

·      Second, the UK government has issued a statutory instrument, which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit;

·      This new regime will be known as ‘the UK GDPR’;

·      There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the requirements of the EU GDPR;

·      The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.

UK GDPR:

·      Will apply to processing of personal data by controllers and processors with a physical presence in the UK (whether or not the processing takes place in the UK), and also to processing activities in relation to a data subject who is in the UK at the time.

·      The subject doesn’t necessarily have to be a UK resident – if they’re in the UK at the time their data is processed, the legislation will capture them.

EU GDPR:

·      Will still apply to some UK businesses, if they offer goods or services to individuals in the EU or monitor the behaviour of EU citizens.

·      Will also continue to apply to ‘legacy data’ until an EU adequacy decision for the UK is granted, after which time UK GDPR will apply.

o  Legacy data is any data and information received from the EU which is processed before the end of the transition period or on the basis of the Withdrawal Agreement.

So, if businesses are transferring data from the UK to another country, so long as they are compliant now there will effectively be no change. The UK has temporarily recognised all of the countries that are regarded as adequate by the EU, so it is maintaining its current position for now, and there aren’t any signs at the moment of an intention to change that.

Finally, a statement from Elizabeth Denham, Information Commissioner:

“It is perhaps a telling reflection on the past year that the end of the UK’s transition period with the EU has been a secondary concern for many DPOs in 2020. And yet the end of the transition period may bring the most significant change to data protection in the UK since the implementation of the GDPR three years ago.

There remains hope that an adequacy decision may yet be reached, which would allow the UK to continue to access the free flow of personal data provision granted for those within the EU.

But organisations cannot rely on this. The stakes are too high, with the risk that the data flow tap from the EU is turned off, and with it the flow of HR records, customer details and data from cloud services.”

This situation does not affect many, if any, of our client firms but we feel it worthwhile issuing this newsletter as part of our ongoing reminders to firms of the effect of Brexit on business.

We will continue to review the relevant changes that need to be made from January 2021 as a result of the transition period ending and will advise firms accordingly.

If you need to discuss any aspect of this matter with us, please make contact in the normal way.