The much-anticipated 31st December 2020 has been and gone and the UK is now no longer part of the European Union. As we waited with bated breath to find out whether we would be leaving with or without a deal it really went to the wire, but a deal it was. Unfortunately, the Brexit transition period has left many unanswered questions and some things remain to be agreed. There are, however, many things of which we can be sure and the implications for GDPR are clear.
In terms of data protection, the EU data protection law that previously applied has been converted into UK domestic law. A few minor amendments have been made for it to work as UK law, but it is essentially the same. The Information Commissioner’s Office (ICO) continues to be the independent supervisory body overseeing UK data protection legislation but is no longer a supervisory authority under the EU GDPR. This means the ICO will not be able to approve Binding Corporate Rules (BCRs) for the transfer of personal data from the European Economic Area to the UK as previously. The consequences for companies that deal with EU companies need to be addressed.
How Brexit Impacts UK Companies that Process Personal Data
UK companies that process domestic personal data of UK persons now need to comply with the Data Protection Act (DPA) 2018 and UK General Data Protection Regulation (GDPR), which, as we have already stated, is essentially the same. However, organisations will need to comply with UK regulations, (DPA 2018 and UK GDPR) and the EU GDPR also if they process the personal data of EU residents. Although the new regulations apply from 1st January 2021, the EU has agreed to a ‘bridge’, enabling restrictions to be delayed for four months. They have also agreed that this may be extended to six months.
In theory, before the bridge agreement expires, the UK should qualify under ‘adequacy’ and this would mean that the UK would then be deemed as following adequate procedures to allow for the free transfer of data to the UK to continue as previously. The UK has already deemed the EU to be adequate on a transitional basis and as such data will be able to flow freely to the EEA for several years until a formal assessment of adequacy has been made. Although it is highly unlikely that the EU will not confer adequacy on the UK – the existence of the bridging mechanism agreement suggests it will, and as the UK has just left the EU it would imply that member states may not have adequate regulations either – organisations should be aware that new regulations may come into force before adequacy is conferred and make the appropriate provisions.
Article 27 and What it Means for GDPR
With the ICO no longer able to approve BCRs for transfers of personal data from the EEA to the UK, article 27 of the Law Enforcement Directive requires organisations to appoint a representative who can ensure compliance. This representative must be in one of the member states that the data corresponds to. Companies must also update contracts relating to transfers of data from the EU to the UK to include standard contractual clauses (SCCs), and update policies, procedures, and documentation to reflect any changes. The penalties for non-compliance are severe: up to €20 million or 4% of annual global turnover, whichever is greater. While these Withdrawal Agreement requirements may not come into force if adequacy is conferred before the bridge ends, it is vital that organisations have measures in place by the end of April in the event that they do.
GDPR Compliance is our Speciality, Don’t Let Brexit Catch You Out
We are all hoping that adequacy will be granted before the bridge runs out but there are no guarantees. Organisations need to act now to ensure a smooth transition and this is where iCaaS can help you. Not only does GDPR compliance reduce the threat of security breaches, reputational risk, fines and legal action, it also gives you a marketing tool you can leverage. With our software giving you and your clients tangible proof of your GDPR compliance, we can help you make sure the changes coming in with Brexit don’t leave you exposed.
Call our customer service team today on 0345 646 0066 or email us via [email protected] to find out how we can help you ensure that you are, and that you remain, GDPR compliant. We are here to answer your questions on GDPR and Brexit and we would love to hear from you. Please get in touch!