The Brexit transition period ended on 31st December 2020. UK organisations that process personal data must now comply with the following laws:
- The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they process domestic personal data and offer goods and services to, or monitor the behaviour of, EU residents.
Post-Brexit Data protection law – after 31st December 2020
Will the GDPR apply in the UK after Brexit?
No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31st December 2020.
However, the UK’s Data Protection Act of 2018 has already enacted the EU GDPR’s requirements into UK law. Therefore, with effect from 1st January 2021, the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 amended the DPA 2018. It was then merged with the requirements of the EU GDPR. This formed a new, UK specific data protection regime that works in a UK context after Brexit as part of the DPA 2018.
This new regime is known as ‘the UK GDPR’. This is the new post Brexit Data Protection landscape.
UK organisations need to amend their GDPR documentation. You need to align it with the requirements of the UK GDPR. In particular, Article 30 records, Privacy Notices, DPIAs, DSARs and cross border data flow documentation. The UK’s independent jurisdiction will need to be taken into account. Together with the specific scope and wording of the UK GDPR.
Any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will also have to comply with the EU GDPR. This must be reflected in your process documentation.
Do you still process EU residents’ personal data?
If you are a UK organisation you are now bound by the UK GDPR. However, you may also be bound by the EU GDPR. In addition, you may now need to:
- Appoint an EU Representative;
- Identify a lead supervisory authority in the EU;
- Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
- Update your policies, procedures and other documentation in light of these changes.
The EU GDPR’s requirements as originally implemented by Parts 3 and 4 of the DPA 2018 continue to apply. However, this is no longer within the EU’s jurisdiction for law enforcement and intelligence purposes.
How does Brexit affect international data transfers?
The Brexit transition period has ended. Therefore, the UK is now a ‘third country’. This is the name given to all countries outside the EEA (EU member states, plus Iceland, Liechtenstein and Norway).
International transfers of personal data from the EU to the UK
Under the EU GDPR, international transfers are permitted only in certain circumstances:
- If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
- If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
- Based on approved codes of conduct.
These mechanisms are explained below.
Organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative. This is required by Article 27 of the EU GDPR.
The UK-EU TCA (Trade and Cooperation Agreement) allows for the continued free flow of personal data from the EU to the UK. This is for a maximum of six months following the end of the transition period (31st December 2020). This enables UK organisations to continue to freely receive data from the EEA. There is no need for further action.
The UK hopes the European Commission will then issue an adequacy decision in relation to the UK. This means that personal data can continue to flow freely beyond this six-month period.
Thus far, the European Commission has adopted 12 adequacy decisions:
- The Faroe Islands
- The Isle of Man
- New Zealand
As of May 2021, subject to confirmation, South Korea has now been granted adequacy by the EU.
Should the UK does not receive an adequacy decision by the end of the six-month period introduced by the UK-EU TCA, changes will be needed. UK organisations will have to use alternative mechanisms. These can be SCCs or BCRs, to transfer EU residents’ personal data. However, you are advised to co firm this wit the relevant EU supervisory authority.
The ICO therefore recommends that UK organisations implement alternative transfer mechanisms now to safeguard against potential interruptions to the free flow of personal data.
Binding corporate rules and standard contractual clauses (BCRs and SCCs)
In the absence of an EU adequacy decision, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.
Now the UK has left the EU, the ICO (Information Commissioner’s Office) is no longer a supervisory authority under the EU GDPR. Therefore, the ICO cannot approve BCRs for transfers of personal data from the EEA to the UK.
Therefore, BCR’s will need to be approved within the EU, by a supervisory authority.
UK organisations making onward transfers of EU Subject Data to processors in the US
The EU–US Privacy Shield was ruled invalid following legal action by the Austrian privacy campaigner Max Schrems. The shield allowed certified US organisations to process EU residents’ personal data. The ruling was invalidated by the ECJ (European Court of Justice) on 16th July 2020.
In November 2020, the European Data Protection Board published its recommendations on supplementary measures. . The measures are for EU data controllers that use US data processors. Also for US processors that process the personal data of EU residents, must take into account when making such transfers.
International transfers of personal data from the UK
Consequently, the UK government has said it will recognise adequacy decisions made by the European Commission before the end of the transition period. However, the government will keep this arrangement under constant review.
Potential penalties for non-compliance
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines. These can be up to €20 million or 4% of annual global turnover, whichever is the greater.
Therefore, organisations that process EU residents’ personal data should therefore put measures in place immediately. This is to ensure they comply with the law after 31st December 2020. There are rules for UK Data Subjects also and regulation is in place of them also.
If you need help with post-Brexit data protection and/or GDPR, or perhaps you need to appoint an EU Representative, then call us today on 03333 22 1011. You can contact us here or book a call directly here.