LONGER READ

Data Protection

The end of the Brexit transition period: what this means for your business’s data protection obligations

What should your business consider and implement now in order to minimise potential disruption to data flows in 2021?

SHARE

Authors

It’s difficult to believe we’re already in December – particularly when it feels like the world has been on pause for most of 2020 – yet here we are in the final month of the Brexit transition period.

Up to now, personal data flows between the UK and the countries of the European Economic Area (EEA) have continued as usual since the 2016 referendum, but major changes will come into effect from 11pm British time on 31 December, when the UK will be a ‘third country’.

So what should your business consider and implement now in order to minimise potential disruption to data flows in 2021?

Working out which legislation applies

As soon as the Brexit transition period ends on 31 December, there will effectively be two GDPRs that you should bear in mind. The GDPR that exists at the moment (the “EU GDPR”) will continue apply to the remaining EU member states. In the UK, a new “UK GDPR” will come into force, which will effectively mirror the EU GDPR in most respects, save for some minor tweaks to make it UK-specific.

Alongside the Data Protection Act 2018, the UK GDPR will apply to UK-based businesses that process personal data, as well as any businesses (including outside the UK) that offer goods or services to individuals located in the UK or that monitor those individuals’ behaviour. UK-based businesses will, in addition, have to comply with the EU GDPR if they offer goods or services to, or monitor the behaviour of, individuals located in the EEA.

So, for example, if you operate an e-commerce platform in the UK that offers products to consumers elsewhere in the EU, then you will need to comply with not only the UK GDPR and Data Protection Act 2018, but also the EU GDPR.

Appointing an EU/UK representative

Where (as in the above example) you are required to comply with the EU GDPR as well as the UK GDPR but do not have an EU presence, then you will need to appoint an EU representative who can deal with EU-based data protection regulators on behalf of the EU-based individuals whose personal data you process. Similarly, non-UK companies located in the EU that sell products into the UK without a UK entity will need to appoint a UK representative.

Organisations with pan-EU operations

Certain multinational organisations with extensive operations across the EU have benefited from the ‘one-stop shop’ mechanism, whereby one single EU-based regulator is appointed as the single Lead Supervisor Authority (LSA). The advantage is that such a multinational organisation does not have to deal with the privacy regulator in every single EU country in which it operates.

After the end of the Brexit transition period, the UK’s regulator, the Information Commissioner’s Office (ICO), will no longer be able to act as an organisation’s LSA. Businesses with pan-EU operations should therefore consider whether they require an alternative regulator, such as the Republic of Ireland’s Data Protection Commission (DPC), to act as their LSA.

International transfers of personal data

The UK Government has stated that (for the moment) it will continue to recognise the effect of existing adequacy decisions by the European Commission in respect of non-EEA countries deemed to provide an adequate level of data protection, such as Japan, Switzerland, and New Zealand. The UK will also recognise all EEA countries as adequate. In practice, this means that any transfers of personal data that you make as a UK business to those particular countries can continue as they have done previously.

However, getting the data back from these countries may be problematic. For example, if your payroll processor is located in Ireland, you can continue to send personal data regarding your employees to that processor in Ireland. The difficulty will be in establishing a GDPR-compliant mechanism to transfer personal data (such as that contained on payslips) back from the Irish processor to the UK controller. This is because the UK is extremely unlikely to receive an adequacy decision from the European Commission before the end of the Brexit transition period, principally due to concerns over its domestic surveillance practices. If this is likely to impact your organisation, then you need to consider now what appropriate GDPR safeguard or derogation you can rely on in order to effect the transfer of personal data from the EEA to the UK and put this in place before the expiry of the Brexit transition period.

What to do now

With under month to go before the end of the transition period, therefore, now is the time (if you haven’t done so already) to review your organisation’s flows of personal data to determine whether any action is required and implement appropriate measures accordingly. Not only will this minimise the risk of breaching two different GDPRs, but it will also serve to mitigate any potential disruption to your business in the New Year.

Authors

Latestfromtheteam

MoreofRaj'sInsights

You are contacting

Raj Shah

Senior Associate

raj.shah@collyerbristow.com