Data Privacy, the GDPR, and Brexit – What do you need to do now?

The UK left the EU on 31st January 2020 and immediately entered into a transitional period during which nothing really changed. That transitional period ends at 11pm on 31 December 2020 and realistically that is when things are really going to change for business.

Here is our practical guide to what business needs to do to ensure it complies with the data protection legislation post 11pm on 31 December 2020.

1. Continue complying with the GDPR – The GDPR will no longer be part of UK law post 31 December 2020. It has however been replaced by the UK GDPR which is largely identical to the EU version. The 6 data protection principles underpinning the GDPR continue to apply in the UK and therefore it is important that you continue to ensure that you are able to demonstrate compliance with the GDPR in the same way as you have since the GDPR came into force on 25th May 2018.

2. Also comply with the EU GDPR – The GDPR has always had an extra territorial component to it. What this means in practice is that if you are based outside the EU but selling goods or services to people in the EU or monitoring the behaviour of people in the EU (or processing data in relation to either of those) then you need to comply with the GDPR regardless of where you are based. Those extra territorial provisions now apply to UK business who are selling into the EU or monitoring behaviours in the EU. UK businesses may well find themselves having to comply both with the UK GDPR and the EU GDPR. That is not hugely problematic now but may become more so if and when the UK and EU laws diverge over time.

3. Appoint an EU Representative – If the data you are processing does relate to the selling of goods in the EU or the monitoring of behaviours of people in the EU and you have no establishment in the EU then you may well have to appoint an EU Representative in relation to those EU activities. This will be a person or company who can liaise on your behalf with the data protection authorities in the EU and must be based in an EU country where people whose data you process are located.

4. Appoint a UK Representative – The UK GDPR mirrors the EU GDPR. Therefore if you have no establishment in the UK but the data you are processing relates to the selling of goods in the UK or the monitoring of behaviours of people in the UK then you may need to appoint a UK Representative. If you are not based in the UK or the EU and the data you are processing relates to the selling of goods in the UK and the EU or the monitoring of behaviours of people in the UK and the EU then you may need both a UK and an EU Representative.

5. Make preparations to keep data flowing – The UK –EU Trade and Co-operation Treaty (TCA) allows data to flow from the EEA to the UK for a further 6 months. It may well be that after those 6 months further steps need to be taken to ensure that data can continue to flow. We would therefore urge you to look at your data flows now and ensure that these can continue when this 6 month period expires. This includes looking at arrangements that you have with EEA based businesses who provide services to you.

This is probably the most difficult area to deal with post Brexit. See our earlier blog discussing some of these issues. The position has however (at least temporarily) been made easier by the UK –EU Trade and Co-operation Treaty (TCA). It has not however completely gone away and you should not lose sight of it.

The issue is that any transfer of data from the UK to the EEA or from the EEA to the UK will now become a “restricted transfer”. What this means is that before data can be transferred from the UK to the EEA or from the EEA to the UK one of three things has to be in place:

1. The country where the data is being transferred to must have the benefit of an adequacy decision from the UK/EU accepting that country as providing an adequate level of protection for personal data; or
2. An appropriate safeguard must be in place. This is likely to mean putting in place the Standard Contractual Clauses (SCCs) between exporter and importer ; or
3. The transfer must have the benefit of one of the very limited derogations which are set out in the GDPR.

Now that the UK has left the EU it does not have an adequacy decision in its favour although the UK has said that it will treat the EU as providing an adequate level of protection on a provisional basis. It follows that transfers of data from the EEA to the UK suddenly become far more difficult than has previously been the case.

The TCA allows data to flow from the EEA to the UK for a further period of 6 months while the EU Commission considers whether or not to make an adequacy decision in the UK’s favour. Such a decision is by no means a given or may be on terms that the UK will not accept. You therefore need to take steps to ensure that data can continue to flow from the EEA to the UK. This is likely to involve analysing your data flows and ensuring that appropriate safeguards are in place.

6. One stop shop – The UK will no longer be able to take advantage of the GDPR’s “one stop shop” provisions. Previously if you were moving data around Europe you would only have to deal with one regulatory (supervisory) authority. For example as a UK based business moving data to and from offices in the EU you would only have to deal with the UK’s Information Commissioner’s Office (ICO). Post Brexit you will now need to have a relationship with both the ICO and data protection authorities in the EU although if you are moving data across EU borders you may still be able to take advantage of the “one stop shop” in the EU but not in the UK.

7. Amend your documentation – You will need to amend both your privacy notices and your contracts to reflect the change from EU law to UK. Likely changes include:

• References to the EU GDPR – Regulation (EU) 2016/679 are likely to be incorrect and will need to be changed to the Data Protection 2018;
• References to the EU may well no longer be correct and should be changed to references to the UK as appropriate;
• If you have appointed an EU (or a UK Representative) that will need to be reflected in your privacy notice;
• Where you are subject to the EU GDPR (as well as the UK GDPR) you need to change your privacy notice to reflect that complaints should be made not just to the ICO but also to the applicable EU supervisory authority;
• You need to amend you privacy notice to tell people about transfers that you are making to and from the EEA as these will be restricted transfers.

If you require any further information, please contact Nick Phillips or any other member of the Intellectual Property Team.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now