The Effects of Brexit on GDPR – what you need to know

Information in this blog was correct at the time of publication, however, you should check the?ICO website?for the most up-to-date information. Although it’s been three years since GDPR was implemented for UK and EU businesses, it doesn’t feel that long ago that we saw the mass panic and scare stories about this piece of legislation.

So, naturally, there has been some concern about GDPR since Brexit, and many questions!

Does GDPR still apply to UK businesses?

Has anything changed about GDPR for businesses located in the UK?

Is there anything new I need to do as a business owner?

In this article, I want to give a general overview of GDPR now we’re out of the EU, and let you know what you need to be aware of and do for your business to ensure you’re staying compliant with data protection regulations.

The Data Protection Act (2018)

A major update was made to the UK’s Data Protection Act (DPA) in 2018 to make it fit with GDPR. As GDPR is EU legislation affecting all activities around the personal data of EU citizens, it was necessary for UK law to ensure our DPA was in line with the General Data Protection Regulations.

As the UK is no longer part of the UK and finalising withdrawal, the protection of data for UK citizens is covered under the UK DPA and so first and foremost, it is important to ensure that your business is compliant with that particular legislation.

However, any business around the world must comply with the EU directive of GDPR when it comes to processing data about EU citizens.

Whatever the UK chooses to do in the long term, GDPR is still relevant if you’re transferring data to/from the EU (such as using cloud apps and the servers are in the EU, for example) or have EU nationals as clients.

So, in effect, you need to consider both the UK DPA and the EU GDPR when it comes to data protection in your business.

Identify any data you hold on EU citizens

As a first step, you need to know who your clients are and where they are located.

One thing to look out for is nationality rather than residence. All of your clients might be located in the UK, but if any of them are EU nationals they are still classed as EU citizens, and thus their data falls under GDPR rather than DPA.

As this circumstance could happen at any time, you need to ensure your data protection measures cover this eventuality. It also means you should ascertain nationality when onboarding clients to ensure you treat their data accordingly.

Sharing data with the EU has changed

When you share data with a company in the EU, such as storing information on a server in the EU, or sending data via email or DropBox, etc; you need to ensure that the system or individual complies with the DPA for your UK-based clients and GDPR for your EU based clients.

During GDPR, a lot of companies moved their servers to the EU to comply with the directive, but we’re now seeing that many online systems are moving data to the USA for UK clients. This means a change in service, thus you should, at the very least, have a data processing agreement in place with them that confirms the security of the data during the international transfer of data.

However, US-based systems can be problematic for GDPR (hence why they changed to EU servers back in 2018), so if you do have EU citizen data it might be worth reviewing your systems to those still based in the EU.

You can find out more about international transfers from the ICO here.

You are the data controller for your business

As the data controller, you are the 1st party and determine the data you collect, your reasons for collecting it and what you do with it, i.e., how you process that data.

Your clients, the data subjects, are the 2nd?party.

Any person outside of your organisation or a system you use to store/process data is a 3rd?party.

It’s important that you understand these relationships as it’s a core part of data protection regulations and what you need to be doing as a data controller to remain compliant.

As a data controller, if you are sharing data within the UK with a third party (like an accounting app or outsourcing partner, for example), you need to have the following in place.

1. The contract?including obligations of confidentiality – this should define personal data, require all parties not to share this outside of the contract and states compliance with GDPR in the UK or on a global level.
2. Data Processing Agreement?– this adds to the confidentiality element of the contract by including specific instructions from the data controller to the processor of what is going to be done with the data.
3. Security Instructions?– these should tell the data processor what the minimum data security requirements for them handling this data – e.g., should any devices they use be encrypted, should they use a VPN when working on Wi-Fi, etc.

If you are also sending data in and out of the EU you may need further documents such as model clauses, the latest information on this can be found on the ICO website here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/

For help with your DPA and GDPR requirements as a business owner, don’t hesitate to get in touch with me for assistance and support.

This article was first published as a blog in May 2021 on?www.banksbusinesssolutions.co.uk?and has been updated and reproduced for LinkedIn.