Following the end of the transition period (31 December 2020) the ‘UK GDPR’, which is almost identical to the EU GDPR, is now in force.

During the negotiations, the UK Government were keen to ensure that personal data could continue to flow between the EU and the UK. Some breathing space on this issue was achieved in the Trade and Cooperation Agreement (the “TCA”), which was reached between the UK and the EU in December 2020.

 

Even though the TCA has been agreed, it doesn’t deal with all aspects of data protection compliance relating to the UK leaving the EU, and there are some important aspects which all businesses need to consider as part of their Brexit planning.

 

Advice and Guidance from HBSA:

 

Following the end of the transition period the ‘UK GDPR’, which is almost identical to the EU GDPR, is now in force. Businesses established in the UK must comply with the UK GDPR, as well as some businesses outside the UK.

 

The EU GDPR may also continue to apply to UK businesses. If a UK business still has an establishment in the EU, then that business will be subject to the EU GDPR. The EU GDPR also has extra-territorial effect, this means that if a UK business outside the EEA continues to sell goods or services to individuals in the EEA, or monitors their behaviour, then they will be subject to the EU GDPR as well as the UK GDPR. ‘Monitoring’ is a broad concept which includes dropping cookies on a website and using them to profile customers in the EEA, using CCTV in the EEA, or carrying out market surveys in the EEA.

 

A UK business can therefore be subject to both the UK GDPR and the EU GDPR.

 

Regardless of whether you’re subject to the UK GDPR or the EU GDPR, your obligations will be almost identical. Any GDPR readiness project and associated documentation will still be relevant (subject to some fairly minor changes).

 

Can we still send personal data to the EEA?

 

The UK Government has confirmed that for now, businesses can still send personal data from the UK to organisations in the EEA without any additional formalities. This position is the same as pre-Brexit, although the UK Government has said that it will keep this under review.

 

Can we still send personal data to countries with an existing adequacy decision?

 

The European Commission found that a number of countries provide sufficient protection for personal data that they are deemed ‘adequate’. These countries are: Argentina, Uruguay, Jersey, Guernsey, Isle of Man, Andorra, Switzerland, Israel, New Zealand, Canada (businesses caught by Canadian data protection legislation), and Japan (private sector organisations).

This means that personal data can be sent to these countries without any additional formality. These adequacy decisions will continue after the end of the transition period, so UK businesses can continue to send personal data to those countries in the same way as before. The UK Government will also keep this under review.

 

What about sending personal data to countries outside the EEA without an adequacy decision?

 

The position will be the same as before the end of the transition period. This includes sending personal data to the US. You should be aware, however, that in the middle of July 2020, a European Court decision held that the Privacy Shield (relevant to US export) was invalidated, and further due diligence is needed before standard export clauses can be used.

 

Can we still get personal data from the EEA into the UK?

 

The ability for UK businesses to continue to bring personal data into the UK is a key issue, particularly with the increasing globalisation of business. The UK is now outside the EEA, and so the provisions in the GDPR that allow personal data to be sent around the EEA without any additional formality no longer apply.

The UK Government has said for some time that it wants an adequacy decision from the EU (for example, like New Zealand or Israel). While this hasn’t been agreed in the TCA it is in progress, and an adequacy assessment is currently being carried out.

While the adequacy assessment takes place, the TCA provides some breathing space for UK businesses as it agrees that personal data can continue to be sent from the EEA to the UK for up to six months (until the end of June 2021).

It is intended that an adequacy decision will be reached during that 6-month period but this is not guaranteed. While the ICO welcomes the fact that a deal has been done, they have taken a cautious approach in suggesting that until adequacy has been agreed, businesses should consider whether to put in place standard contractual clauses or other mechanisms to legitimise the export of personal data. This is probably premature at the moment and suggest waiting to see how the adequacy negotiations unfold.

 

Do I need a representative in the EEA?

 

If you’re caught by the extra-territorial jurisdiction of EU GDPR (see question 1), you now need to appoint a representative in the EEA unless you fall within the exemption. The exemption provides that you don’t need to appoint a representative where: you are a public authority; or your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category data (e.g. health data, and data relating to ethnic origin, race, religious beliefs or political beliefs) or criminal offence data.

Your representative can be an individual or a company, but must be appointed in writing. They can be a group company, which is a popular option where the group has an establishment in the EEA. However, you should bear in mind that since they are representing you in relation to your EU GDPR compliance, the group company must be able to fulfil their responsibilities in this regard (e.g. by maintaining records of processing etc.). In view of this requirement, EEA-based lawyers are another popular choice.

Your appointed representative is required to deal with individuals in the EEA on your behalf, and also any EEA regulator. You therefore need to include their details in your privacy notice so that an individual in the EEA, who wants to make a subject access request to you, can send it to your representative.

Since your representative is there to deal with EEA individuals whose data you process, they should be based in an EEA country where at least some of those individuals are based.

 

The current intention of the UK Government is to operate an equivalent regime in relation to the UK GDPR, so that businesses outside the UK caught by its extra-territorial effect will need a UK representative.

 

Is there anything else to think about?

 

You may need to update your documentation. UK businesses that are subject to the EU GDPR may need to update their privacy notices if they are required to appoint a representative or get any personal data sent to them from the EEA.

Also, UK businesses will need to update any references to EU law in privacy notices or other GDPR documentation. You’ll also need to think about Article 30 registers and if you are caught by EU GDPR, you may need to review your legal basis to process data as “compliance with law” under EU GDPR can only apply to EU law, or the laws of a member state.

Following the end of the Brexit transition period, UK businesses no longer benefit from the ‘one-stop-shop’ and so if your business is caught by EU GDPR you may have to deal with both the ICO and other EEA regulators if there is an issue.