The impact of Brexit on Data Protection law

Whatever the outcome of the ongoing EU-UK negotiations over trade, businesses will need to look at how they collect, handle and transfer data to ensure they are complying with the rules from 1 January 2021 when the Transition Period ends.

 

The rules on data protection in the UK didn’t change when the UK left the EU on 1 February 2020, because we entered into the Transition Period, and this effectively maintained the status quo on data.

 

Going forward, businesses which are solely UK based and have no contracts or customers or data relating to EEA nationals will see little change in their operations in relation to data from 1 January 2021.  UK rules won’t mean a relaxation though – they will still need to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and the Data Protection Act 2018 (which essentially means the GDPR).

 

There has been much discussion over whether the EU will decide to grant “adequacy” status to the UK, so that transfers of data from the EU to the UK would be permitted without further formality.  However, currently the EU has not made this finding.  Therefore many businesses will need to implement new processes from 1 January 2021 in order to legally continue receiving data from or in relation to EEA residents.

What should businesses be doing now?

All business need to:

  • ensure they comply with PECR and GDPR (all businesses should already be doing this and will continue to need to do this)
  • review processes to see whether you handle data relating to EEA residents
  • update your privacy notices and other data protection documentation to reflect the UK no longer being part of the EU

The further steps your business needs to take will depend on whether you handle data relating to EEA residents:

  • Consider whether the EEA to UK data transfers will still be required at the end of the Transition Period.
  • Put in place contracts between you and the senders on EU-approved terms, known as standard contractual clauses (SCCs) so that these apply at the end of the Transition Period.  SCCs will be required in almost all circumstances, unless the data transfers are between a large multinational group of companies and the group already has approved binding corporate rules (BCRs) in place.
  • Identify the European countries in which your EEA customers are predominantly based. This is required because your UK activities will be covered by UK law and your European activities will be covered by EU law. Once you know where your customers are based, you should identify how EU data protection law is handled in those countries to ensure you remain compliant.
  • Check which European data protection regulator will be your ‘lead supervisory authority’ as this will help you identify whether you need to register with that authority and how you should handle correspondence with that authority in the event of a data breach etc.
  • If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA (see below for more details).

 

If you are a UK-based controller or processor of personal data:

  • which has with no offices, branches or other establishments in the EEA; but
  • which offers goods or services to individuals in the EEA or which monitors the behaviour of individuals in the EEA.

You will need to:

  • Consider whether you intend to continue carrying out such processing at the end of the Transition Period.
  • Appoint a representative in the EEA (unless you are exempt, see below). This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located. Your European representative may be an individual or a company or organisation established in the EEA (for example, a law firm, consultancy or private company).
  • Put in place a service contract or other written mandate for your European representative authorising them to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
  • Update your privacy notice and website to include contact details and other information about your European representative.

You will not need to appoint a European representative if:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

A business is located in the EU (or otherwise outside of the UK) , but which is still required comply with the UK data protection law (for example because it offers goods or services to individuals in the UK or because it monitors the behaviour of individuals in the UK), must appoint a UK representative.