Longer Reads

The end of the Brexit transition period: what this means for your business’s data protection obligations

What should your business consider and implement now in order to minimise potential disruption to data flows in 2021?

2 minute read

Published 1 December 2020

Share

Key information

It’s difficult to believe we’re already in December – particularly when it feels like the world has been on pause for most of 2020 – yet here we are in the final month of the Brexit transition period.

Up to now, personal data flows between the UK and the countries of the European Economic Area (EEA) have continued as usual since the 2016 referendum, but major changes will come into effect from 11pm British time on 31 December, when the UK will be a ‘third country’.

So what should your business consider and implement now in order to minimise potential disruption to data flows in 2021?

Working out which legislation applies

As soon as the Brexit transition period ends on 31 December, there will effectively be two GDPRs that you should bear in mind. The GDPR that exists at the moment (the “EU GDPR”) will continue apply to the remaining EU member states. In the UK, a new “UK GDPR” will come into force, which will effectively mirror the EU GDPR in most respects, save for some minor tweaks to make it UK-specific.

Alongside the Data Protection Act 2018, the UK GDPR will apply to UK-based businesses that process personal data, as well as any businesses (including outside the UK) that offer goods or services to individuals located in the UK or that monitor those individuals’ behaviour. UK-based businesses will, in addition, have to comply with the EU GDPR if they offer goods or services to, or monitor the behaviour of, individuals located in the EEA.

So, for example, if you operate an e-commerce platform in the UK that offers products to consumers elsewhere in the EU, then you will need to comply with not only the UK GDPR and Data Protection Act 2018, but also the EU GDPR.

Appointing an EU/UK representative

Where (as in the above example) you are required to comply with the EU GDPR as well as the UK GDPR but do not have an EU presence, then you will need to appoint an EU representative who can deal with EU-based data protection regulators on behalf of the EU-based individuals whose personal data you process. Similarly, non-UK companies located in the EU that sell products into the UK without a UK entity will need to appoint a UK representative.

Organisations with pan-EU operations

Certain multinational organisations with extensive operations across the EU have benefited from the ‘one-stop shop’ mechanism, whereby one single EU-based regulator is appointed as the single Lead Supervisor Authority (LSA). The advantage is that such a multinational organisation does not have to deal with the privacy regulator in every single EU country in which it operates.

After the end of the Brexit transition period, the UK’s regulator, the Information Commissioner’s Office (ICO), will no longer be able to act as an organisation’s LSA. Businesses with pan-EU operations should therefore consider whether they require an alternative regulator, such as the Republic of Ireland’s Data Protection Commission (DPC), to act as their LSA.

International transfers of personal data

The UK Government has stated that (for the moment) it will continue to recognise the effect of existing adequacy decisions by the European Commission in respect of non-EEA countries deemed to provide an adequate level of data protection, such as Japan, Switzerland, and New Zealand. The UK will also recognise all EEA countries as adequate. In practice, this means that any transfers of personal data that you make as a UK business to those particular countries can continue as they have done previously.

However, getting the data back from these countries may be problematic. For example, if your payroll processor is located in Ireland, you can continue to send personal data regarding your employees to that processor in Ireland. The difficulty will be in establishing a GDPR-compliant mechanism to transfer personal data (such as that contained on payslips) back from the Irish processor to the UK controller. This is because the UK is extremely unlikely to receive an adequacy decision from the European Commission before the end of the Brexit transition period, principally due to concerns over its domestic surveillance practices. If this is likely to impact your organisation, then you need to consider now what appropriate GDPR safeguard or derogation you can rely on in order to effect the transfer of personal data from the EEA to the UK and put this in place before the expiry of the Brexit transition period.

What to do now

With under month to go before the end of the transition period, therefore, now is the time (if you haven’t done so already) to review your organisation’s flows of personal data to determine whether any action is required and implement appropriate measures accordingly. Not only will this minimise the risk of breaching two different GDPRs, but it will also serve to mitigate any potential disruption to your business in the New Year.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Longer Reads

The end of the Brexit transition period: what this means for your business’s data protection obligations

What should your business consider and implement now in order to minimise potential disruption to data flows in 2021?

Published 1 December 2020

Associated sectors / services

  • Data Protection

It’s difficult to believe we’re already in December – particularly when it feels like the world has been on pause for most of 2020 – yet here we are in the final month of the Brexit transition period.

Up to now, personal data flows between the UK and the countries of the European Economic Area (EEA) have continued as usual since the 2016 referendum, but major changes will come into effect from 11pm British time on 31 December, when the UK will be a ‘third country’.

So what should your business consider and implement now in order to minimise potential disruption to data flows in 2021?

Working out which legislation applies

As soon as the Brexit transition period ends on 31 December, there will effectively be two GDPRs that you should bear in mind. The GDPR that exists at the moment (the “EU GDPR”) will continue apply to the remaining EU member states. In the UK, a new “UK GDPR” will come into force, which will effectively mirror the EU GDPR in most respects, save for some minor tweaks to make it UK-specific.

Alongside the Data Protection Act 2018, the UK GDPR will apply to UK-based businesses that process personal data, as well as any businesses (including outside the UK) that offer goods or services to individuals located in the UK or that monitor those individuals’ behaviour. UK-based businesses will, in addition, have to comply with the EU GDPR if they offer goods or services to, or monitor the behaviour of, individuals located in the EEA.

So, for example, if you operate an e-commerce platform in the UK that offers products to consumers elsewhere in the EU, then you will need to comply with not only the UK GDPR and Data Protection Act 2018, but also the EU GDPR.

Appointing an EU/UK representative

Where (as in the above example) you are required to comply with the EU GDPR as well as the UK GDPR but do not have an EU presence, then you will need to appoint an EU representative who can deal with EU-based data protection regulators on behalf of the EU-based individuals whose personal data you process. Similarly, non-UK companies located in the EU that sell products into the UK without a UK entity will need to appoint a UK representative.

Organisations with pan-EU operations

Certain multinational organisations with extensive operations across the EU have benefited from the ‘one-stop shop’ mechanism, whereby one single EU-based regulator is appointed as the single Lead Supervisor Authority (LSA). The advantage is that such a multinational organisation does not have to deal with the privacy regulator in every single EU country in which it operates.

After the end of the Brexit transition period, the UK’s regulator, the Information Commissioner’s Office (ICO), will no longer be able to act as an organisation’s LSA. Businesses with pan-EU operations should therefore consider whether they require an alternative regulator, such as the Republic of Ireland’s Data Protection Commission (DPC), to act as their LSA.

International transfers of personal data

The UK Government has stated that (for the moment) it will continue to recognise the effect of existing adequacy decisions by the European Commission in respect of non-EEA countries deemed to provide an adequate level of data protection, such as Japan, Switzerland, and New Zealand. The UK will also recognise all EEA countries as adequate. In practice, this means that any transfers of personal data that you make as a UK business to those particular countries can continue as they have done previously.

However, getting the data back from these countries may be problematic. For example, if your payroll processor is located in Ireland, you can continue to send personal data regarding your employees to that processor in Ireland. The difficulty will be in establishing a GDPR-compliant mechanism to transfer personal data (such as that contained on payslips) back from the Irish processor to the UK controller. This is because the UK is extremely unlikely to receive an adequacy decision from the European Commission before the end of the Brexit transition period, principally due to concerns over its domestic surveillance practices. If this is likely to impact your organisation, then you need to consider now what appropriate GDPR safeguard or derogation you can rely on in order to effect the transfer of personal data from the EEA to the UK and put this in place before the expiry of the Brexit transition period.

What to do now

With under month to go before the end of the transition period, therefore, now is the time (if you haven’t done so already) to review your organisation’s flows of personal data to determine whether any action is required and implement appropriate measures accordingly. Not only will this minimise the risk of breaching two different GDPRs, but it will also serve to mitigate any potential disruption to your business in the New Year.

Associated sectors / services

  • Data Protection

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up

    Find out about Business

    Find out about Dispute Resolution

    Find out about Individuals & Families

    Find out about Real Estate

    We are Collyer Bristow - The law firm for those that
    value individuality, creativity and collaboration.

    Legal & Pricing info Regulatory InformationAccessibilitySitemapPricing and service information

    Listen to our latest podcast: No notice, no claim? (Drax v Scottish Power)

    Read our latest article: Election 2024: Domicile, Inheritance Tax, and change promised by the new Labour government

    Watch our latest video: What is a nuptial agreement? A full guide to everything you need to know about pre and post nups

    Read our latest article: Election 2024: Initial comments on potential tax changes

    Read our latest article: Labour wins UK general election: What changes are coming for employers?

    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close