Despite Brexit, certain aspects of EU law are here to stay and GDPR is one of them. Imaginatively rebranded as UK GDPR, the key elements remain the same. However, subtle differences may mean some organisations have to make changes.
Do you need to comply with just the UK GDPR & Data Protection Act 2018 or with the EU GDPR as well?
You will need to comply with the UK GDPR and the DPA 2018 if your organisation:
- is based in the UK; or
- is based elsewhere but processes data about UK data subjects.
You will need to comply with the EU GDPR If your organisation:
- has personal data from EU data subjects which it will continue to process; or
- operates and has establishments in the EU.
Therefore, your organisation could be subject to both UK GDPR/DPA 2018 and EU GDPR.
International Transfers of Personal Data
The UK has already determined that transfers of personal data from the UK to the EU are adequately protected by the EU. However, the EU is still considering whether the UK’s data protection regime is ‘adequate’. If there is no adequacy decision, additional protective measures will be required.
For the next 4-6 months, interim bridging measures for transmission of personal data to the UK have been agreed. So, compliant personal data transfers from the EU to the UK can continue without additional safeguards. This gives organisations further respite to consider next steps.
It would be sensible to start preparing now in case an adequacy decision is not forthcoming. The most common approach is by entering into a contract with entities in the EU adopting Standard Contractual Clauses (SCC’s). These are rules pre-approved by the EU which cover the transfer of data to and from your business. Existing SCCs continue to be valid for transfers from the UK to non-EU countries.
Appointing an EU Representative
Organisations in the UK which act as controller or processor of EU individuals’ data may need to appoint a representative in the EU to comply with EU GDPR. Likewise, an EU-based controller or processor may have to appoint a representative in the UK if it is subject to the UK GDPR.
‘Frozen GDPR’
Identify all overseas data you collected before the end of 2020 and keep a compliance record. New data collected after this point will mostly come under the UK rules. But data collected before 31 December 2020 will continue to be subject to the EU GDPR as it was on 31 December 2020 unless an adequacy decision is granted. At the moment standards are generally the same. But if the UK regime diverges from the EU regime, you will need to be able to identify data that is subject to the old rules.
Changes to Privacy Policies
Some changes may be required in referencing the relevant legislation, addressing transfers of data between the UK and the EU and referring to your EU representative.
Data Protection Impact Assessments (DPIA’s)/Records of Processing
Any DPIA’s may need a review to address international transfers (including to and from the EU). Similarly records of processing activities may need to be reviewed to incorporate international transfers and EU Representatives.
Contracts
As with privacy policies these may need reviewing to ensure references to data protection cover the new UK regime. Organisations may need to review provisions dealing with international transfers and anticipate the need to incorporate SCC’s.
For more information or help with your GDPR post Brexit please call your nearest office, details can be found here