Brexit and Data Protection - What Do UK Organisations Need to Do Now?
One of the biggest mysteries (for data protection lawyers at least), was what would happen to personal data transfers from the EEA to the UK after we leave the EU.
As the Government voted to approve the Brexit deal agreed by Boris Johnson, the transition period ended on 1 January. But what does this mean for data protection compliance?
UK-to-EEA Transfers
The ability for UK organisations to send personal data to the EEA without needing additional safeguards has not changed. This means that, unless the UK changes its new domestic data protection laws, those transfers can continue as they are now.
Requirement to Appoint an EU Representative
If you do not have any offices/establishments in the EU, and are offering goods and services to EU citizens and/or monitoring their behaviour, you may need to appoint an EU representative.
This requirement is not affected by the deal, so if you are in the process of appointing a representative, you should continue to do so.
End of the 'One Stop Shop'
When part of the EU, UK organisations benefitted from the 'one stop shop arrangements, which meant that if your processing affected individuals in more than one state, you only had to deal with one regulator. As of 1 January, the UK no longer benefits from this, although negotiations are still underway to allow the UK to potentially benefit in future. In the meantime, UK organisations will not be able to use this mechanism until further notice.
An Extension Period for EEA-to-UK Transfers
One of the biggest uncertainties in data protection terms was how transfers of personal data from the EEA to the UK would be treated post-Brexit. As of 1 January 2021, the UK is effectively a "third country" in data protection terms, meaning that transfers in from the EEA would require additional safeguards under the GDPR.
The deal as agreed gives a further six-month extension period for data flows, meaning for the moment, there will be no change to how data flows into the UK from the EEA.
This extension period is to allow time for the EU to debate whether the UK will receive an adequacy decision. Such a decision is a declaration that the UK's law provides adequate safeguards for personal data, and so no additional actions are required when transferring data into the UK.
The extension period is dependent upon the UK not making any changes to the new data protection regime without the approval of the EU. If that happens, the extension period ends, and EEA nations will have to put in place additional safeguards in order to lawfully transfer personal data to the UK.
There is also a four-month "break clause" meaning that the extension period will last for four months, with an automatic addition of a further two months unless the UK or the EU want the period to end after the four months.
What Do Organisations Need to Do in Respect of EEA to UK Transfers?
For the moment - sit tight. Unless the UK makes changes to its new UK GDPR and/or the Data Protection Act 2018 without EU approval, no additional action is required until at least the end of April.
If, either at the end of April or at the end of June, there is no adequacy decision, then any EEA-based organisation sending personal data to the UK will have to consider the use of additional safeguards. The most practical in most cases will be the Standard Contractual Clauses, although each organisation will also have to consider whether other, additional, mechanisms need to be in place to safeguard data if the UK is not considered "safe". What that will look like depends upon the type of data being transferred, but it is likely that there will be additional guidance on this before then.
What You Should Do Now
- If you need to appoint an EU Representative - continue with this process; and
- If you receive personal data from the EEA, nothing will change for the moment, but be prepared for additional contracts/steps if there is no adequacy decision in the next 4-6 months.
