Keeping on the right side of data protection law post-Brexit (UK business owners).

I'm sure you'd agree that the most enjoyable area of business is keeping ones's contracts and policies up to date. I mean, it's not like we have anything else to concern ourselves with, like navigating a pandemic, or deciphering government policies and regulations.

I've put together some examples (not advice) of what needs to happen post-transition data protection-wise. No doubt .gov will tweak the regs here and there so do keep an eye out.

UK?business?

(UK-based business with?customers based in the UK and is not transferring any personal data outside the UK)?

• No real change needed as the UK is adopting the EU’s General Data Protection Regulation (the EU GDPR) as its domestic law from 1 January 2021.?
• Changes required, for example, privacy terms issued to customers and employees will need to take out any references to the EU GDPR and simply refer to applicable UK legislation, primarily the UK Data Protection Act 2018 (the UK DPA).?
• In addition, the Privacy and Electronic Communications Regulations (PECR), which govern things like the use of cookies and email and SMS marketing to consumers, will also continue to apply in the UK.??

UK–EU?

?(UK-headquartered business selling to consumers in the UK and in the EU on-line and through retail stores operated by subsidiary companies in the EU)?

?During the Brexit transition period which ends on 31 December 2020 the EU GDPR continues to apply. However, from 1 January 2021 the main changes you need to prepare for are as follows:?

Customers?

• For customers based in the EU they will continue to benefit from the protection of the EU GDPR and that is what the UK parent must comply with in relation to them.?
• For UK-based customers dealing with the UK parent, the UK DPA will apply to them.?
• For UK customers dealing with the Continental European subsidiaries, the EU GDPR will apply.?
• There is currently no practical distinction between the UK DPA and EU GDPR in terms of what you need to tell customers, and their rights, so there is no need for any changes?except to update privacy policies issued to customers, to make it clear which regime covers them depending on where they are located and which Group company is dealing with them.??

Which regulator applies (from 01.01.2020)?

• UK customers (and employees) of the parent company based in the UK: ICO?
• EU individuals: will be able to turn to their local data protection regulators to handle any complaints or issues.?
• UK customers dealing with EU subsidiaries they can refer complaints to regulators where the relevant subsidiary is located.??

You may need an EU representative?

• Need to appoint an EU based representative to be a point of contact for?EU?customers and for EU based regulators.??
• The EU representative must be in one of the countries where you have customers. Guidance from the European Data Protection Board (EDPB), the collective body of all EU based regulators, provides that ideally the EU representative should be appointed in a country where the majority of EU based customers are located, but this is not a strict requirement.?
• Also note that under the UK DPA, there is a reciprocal requirement for your EU subsidiaries to appoint a UK representative if they have customers in the UK. It might be most convenient for that to be the UK parent company.?
• When you appoint an EU or UK representative you will need to explain who they are and how to contact them in the privacy notices issued to your affected customers.?

?

Sharing personal data?

UK to EU?

• Do not need a?mechanism?for transfers from the UK to the EU as the UK Government’s view is that the EU will provide “adequate” protection to UK transferred data.?
• Privacy policy should be updated to confirm data transfers.?

EU to UK?

• From 1 January 2021,?may need to have Standard Contractual Clauses (SCCs) in place with EU counterparts in order to legally receive personal data from the EU.?
• The EU’s data adequacy assessment of the UK is underway and we are confident that adequacy decisions can be concluded by the end of the transition period. This would allow for the free flow of personal data from the EU/EEA to the UK to continue without any further action by organisations.?
• However, if the EU has not made adequacy decisions in respect of the UK before the end of the transition period, you should act if you want to ensure you can continue to lawfully receive personal data from EU/EEA businesses (and other organisations) in the future.?
• In this scenario, organisations will be required to put in place alternative transfer mechanisms to ensure that data can continue to legally flow from the EU/EEA to the UK. For most organisations, the most relevant of these will be Standard Contractual?Clauses (SCCs). The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.?

Record-keeping?

Apart from altering Privacy Notices, don’t forget to also update your records of processing to set out the new arrangements you have put in place to deal with the impact of the end of the Brexit transition period.?

You probably know this already: the above is not legal advice?–you should obtain your own independent legal advice for your business and circumstances.??

Image by Pete Linforth from Pixabay