At 11pm on the 31st December, the United Kingdom will see a substantial shift in the law of data protection.
With Brexit officially coming happening on the 31st December 2020 many firm’s have demonstrated the perplexity of what is in store for the UK at the end of the transition period. For us at Scott Robert, our clients have focused mainly on what happens with financial services who passport their activities to other countries within the European Economic Area, however, many firm’s haven’t been focusing on their data protection arrangements post Brexit.
At Scott Robert we recognise that many firm’s are forgetful to their data protection obligations, we have therefore decided to put together a quick brief below to ensure you are adequately prepared for data protection and Brexit.
On the 31st December, the UK officially leaves the European Union at the end of the transition period. Currently the data protection law is located within the General Data Protection Regulation 2016 (“GDPR”), which is EU law directly applicable to U.K entities, what confuses many firms is that the UK already has in place the Data Protection Act 2018, however, this doesn’t implement the data protection law, it just supplements the areas which it is admitted to do so under the GDPR.
What happens on the 31st December is that through the withdrawal statutory instruments, the GDPR will be directly copied over to UK law and be termed the UK GDPR, of course changes are going to occur with the powers (such as the Commission no longer has the power to make adequacy decisions, this will lay with a secretary of state).
So first things first, all firm’s should be affirmative to the following tick box exercise:
|Tick Box||Firm Question|
|Our firm understands the term “personal data”.|
|Our firm understands what type of “personal data” we hold on individuals, including our employees.|
|Our firm understands the data protection “Principles”|
|Our firm understands the lawful bases for processing.|
|Our firm understands the meaning of consent and what is genuine consent.|
|Our firm understands that if we rely on legitimate interests as a lawful basis to process personal data we have to have legitimate impact assessments.|
|Our firm understands what is “special category” data|
|Our firm understands the different requirements which must be fulfilled in order to process special category|
|Our firm understands how to correctly identify a data subject access request|
|Our firm has processes in place to correctly investigate a data subject access request and respond accordingly|
|Our firm understands our overall responsibilities as controller.|
|Our firm has records of our processing activity.|
|Our firm has the correct data protection impact assessments in place.|
|Our firm has adequate security for personal data.|
|Our firm has documented due diligence on third-party processors.|
|Our firm conducts regular audits of our data protection framework.|
The above covers the most basic obligations on firm’s right now under the GDPR which will become directly enforceable by the UK GDPR.
The most important thing which firms must be reminded of is the need for documentation of all of the above, without the required documentation how can you demonstrate compliance with the above?
Scott Robert has assisted numerous firms with their data protection compliance, ensuring they have all required documentation to maximise protection of personal data but also ensuring the viability of the firm’s service. Remember, any breaches of the GDPR can amount to substantial fines, so act before you become one of the thousands of firms fined for being neglectful of their data protection obligations.
So what changes?
The biggest change on the 31st December for U.K firms is that we will no longer be a part of the European Economic Area, which means we can no longer freely transfer data to other European Economic Area countries.
The ICO have confirmed that after Brexit the UK will still be free to share data with countries in the EEA, however, what will be changed is EEA countries sending data to the UK, this is because the UK will be regarded as a “third country” as part of the EU GDPR regime. In simple terms, this means:
The EU Commission must make an adequacy decision on the UK data protection framework to determine whether the UK will be adequate, if the Commission makes this decision affirmatively then EEA firm’s can transfer personal data to the UK without the need for any other pre-requisite for transfer. However, if no adequacy decision is made then firms will be required to comply with:
- Standard Contractual Clauses.
- Binding Corporate Rules; or
Put simply, right now in the UK we do not know whether an adequacy decision will be made by the Commission on the UK, although it is likely this is not guaranteed. Therefore, firm’s must act now to pre-emptively ensure that they are prepared on the 31st December to make sure all data their receive from the EEA will be compliant with the UK GDPR. Firm’s should likely be using standard contractual clauses to ensure data is held safely and a risk assessment undertaken on the contract to ensure the firm is meeting the requirements of a level similar to the GDPR.
Without the above, the firm will likely be acting unlawfully when receiving data from the EEA after the transition period ends.
It is also important to note, that under the UK GDPR, existing rules still apply in relation to third-country transfers which means all transfers are restricted to third countries unless the UK secretary of state makes an adequacy decision on the country. Existing third-country decisions will remain applicable to the UK.
What to remember.
Firms should remember that existing data protection obligations apply (as above).
Firms should be prepared to audit their data protection framework to ensure that they are compliant.
Firms should be reminded that the above is only a summary of the UK GDPR changes and does not cover PECR.
If you are concerned about your data protection practices and whether you can tick all of the checkboxes above please get in touch with one of our team members today or contact your direct adviser.