All UK businesses
In order to minimise any risk to your business from a data protection perspective at the end of the Transition Period you should:
- Ensure that you comply with PECR and the GDPR.
- Review your processes to identify any situations in which your business transfers personal data to the EU or receives personal data from the EU.
- Update your privacy notices and other data protection documentation to ensure that any necessary changes are made. For example, to ensure that references to Europe, the EU or the EEA are amended to reflect the fact that the UK will no longer fall within those definitions.
UK businesses which receive personal data from the EEA
If you are a UK business which receives personal data from businesses or organisations in the EEA (including group companies), you should take the following steps to ensure that the data flow can continue at the end of the Transition Period:
- Consider whether the EEA to UK data transfers will still be required at the end of the Transition Period.
- Put in place contracts between you and the senders on EU-approved terms, known as standard contractual clauses (SCCs) so that these apply at the end of the Transition Period.
- SCCs will be required in almost all circumstances, unless the data transfers are between a large multinational group of companies and the group already has approved binding corporate rules (BCRs) in place.
UK businesses with customers in the EEA or with offices, branches or other establishments in the EEA
If you are a UK business which has customers in the EEA or which has offices, branches or other establishments in the EEA, you should take the following steps to minimise the risks to your business from a data protection perspective at the end of the Transition Period:
- Identify the European countries in which your EU customers are predominantly based. This is required because your UK activities will be covered by UK law and your European activities will be covered by EU law. Once you know where your customers are based, you should identify how EU data protection law is handled in those countries to ensure you remain compliant.
- Check which European data protection regulator will be your ‘lead supervisory authority’ as this will help you identify whether you need to register with that authority and how you should handle correspondence with that authority in the event of a data breach etc.
- If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA (see below for more details).
UK businesses which need to appoint an EU Representative
If you are a UK-based controller or processor of personal data:
- which has with no offices, branches or other establishments in the EEA; but
- which offers goods or services to individuals in the EEA or which monitors the behaviour of individuals in the EEA.
You will need to:
- Consider whether you intend to continue carrying out such processing at the end of the Transition Period.
- Appoint a representative in the EEA (unless you are exempt, see the section below for more information). This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located. Your European representative may be an individual or a company or organisation established in the EEA (for example, a law firm, consultancy or private company).
- Put in place a service contract or other written mandate for your European representative authorising them to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
- Update your privacy notice and website to include contact details and other information about your European representative.
You will not need to appoint a European representative if:
- you are a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
EU businesses which need to appoint UK Representatives
The UK government has said it intends that at the end of the Transition Period, a controller or processor which is located outside the EU, but which is still required comply with the UK data protection law (for example because it offers goods or services to individuals in the UK or because it monitors the behaviour of individuals in the UK), must appoint a UK representative.