Once the transition period ends, the UK will be classed as a ‘third country’, falling outside of the GDPR zone (consisting of EU states, Norway, Iceland, and Liechtenstein). However, as the UK intends to retain the provisions of the GDPR within domestic law, there will be very little change to the rules around data protection. Therefore, if your business has still not achieved GDPR compliance, then we recommend that you continue working towards this.
GDPR After Brexit | Is Your Business GDPR Compliant?
As long as you are already compliant with the GDPR and have no contacts or clients within the European Economic Area, there is very little you will need to do to ensure you remain compliant.
However, if you are a business or organisation that transfers or receives data from the EEA, then you will need to ensure that you are compliant with both UK national law, and the provisions of the GDPR.
The GDPR restricts the transfer of personal data to third countries unless the data is adequately protected, or an exemption applies. The European Commission (EC) is responsible for determining whether a third country has adequate protection in place to allow the free flow of personal data without additional safeguards, however, as yet no adequacy decision has been made in respect of the UK.
The transfer of data from the UK to EEA should not present any problems post-Brexit, as the UK have assumed the EU’s pre-existing adequacy decisions, which allow for personal data to be transferred from the UK to the 30 EU/EEA, counties, and 12 ‘third countries’ – Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, New Zealand, Switzerland and Uruguay. Personal data transfers from the UK to these countries will be able to continue uninterrupted.
However, if the EU determines that the UK does not have adequate safeguards in place, then EU and EEA counties will not be able to transfer personal data to the UK without contractual agreements in place between organisations, similar to those currently required between the UK and third countries such as the US.
Therefore, if you are a business that has dealings with customers, suppliers or partners in EU countries, we would recommend that your first priority should be to undertake an audit of the personal data you receive from other countries.
Check Contracts and Agreements
It would also be worthwhile checking that your contracts and commercial agreements can be amended if necessary, to ensure that the transfer of personal data will not be interrupted if the EU determine that the UK’s data protection regime is not adequate. For the majority of business, incorporating Standard Contractual Clauses into commercial contracts will be the simplest way to ensure this – you may find the tools available on the ICO’s website helpful in this regard.
If you are a business or organisation that offers services or good to individuals in the EU, but you do not have any offices, branches, or other forms of establishment, e.g., shops or warehouses, then it may be necessary for you to appoint an EU representative.
Your EU representative will need to be based in the same location as the people whose personal data your process and must have the authority to represent you and act on your behalf regarding GDPR compliance. There is no need for this representative to be an employee – you could instead instruct a law firm or consultancy. However, if you are only processing low risk data, on an occasional basis, then you may not be required to appoint a representative.
Unfortunately, until the EC makes an adequacy decision about the UK, there remains a great deal of uncertainty as to what data transfers will look like post-Brexit. However, we will aim to keep you updated on the decision and provide further guidance once the situation becomes clearer.
If you have any queries about the GDPR after Brexit, or any questions about data protection and generally, please get in touch with our team for more information about the GPDR services we can provide.