Data Protection after Brexit: what’s changed?LexLeyton
In case you missed it, the UK officially left the European Union following the end of the transition period on 31 December 2020. It was European law that provided us with everyone’s favourite piece of legislation, the GDPR, so what does Brexit mean for data protection laws in the UK?
Good news can be a bit thin on the ground at the moment, but if data protection is your thing then we have some for you: all that time spent on getting your head around the GDPR wasn’t in vain as the GDPR isn’t being replaced. Instead it is being incorporated into domestic legislation and will now be known as the UK GDPR. The original piece of legislation will now be referred to as the EU GDPR.
Trying to understand all of the legal jargon involved in both Brexit legislation and data protection rules can leave you needing to put a cold towel on your head. Here, we have tried simplify the position as to what businesses need to know about data protection after Brexit.
Kicking off with a quick bit of jargon busting: the GDPR applies to all member states of the EU but also to all countries in the European Economic Area (EEA) too. That’s why you will see both the EU and the EEA referred to in this article.
Transfer of data from the EEA to the UK
The EU has agreed that the UK will continue to be treated as if it is an EU member state until the end of June, which means that, for now, EEA enterprises will not have to take any additional measures when transferring data to the UK.
Between now and the end of June the EU could make an ‘adequacy decision’ regarding the UK’s data protection legislative regime. This would mean that the EU deems the UK’s data protection laws sufficiently adequate that data can continue to flow from any EEA country to the UK as it does now, without additional measures being required.
It would be very surprising if the EU didn’t make an adequacy decision in favour of the UK, not least because the UK’s data protection laws are derived from European law. However, in theory the UK could act to change the UK GDPR between now and then, and if such changes didn’t align with the EU GDPR then it could be that all bets are off.
Transfer of data from the UK to the EEA
The UK has deemed EEA member states to be adequate on a transitional basis. This means the UK has also decided the EEA has adequate data protection laws in place so that data can continue to flow into EEA member states as it does now. The transitional bit refers to this just being a temporary decision, but it’s likely to last for a couple of years, by which time the UK will have conducted a formal and more permanent assessment of adequacy of the EEA.
Transfer of data from the UK to a third country
The position prior to Brexit was that any transfer of data to a third country (any country that isn’t in the EEA) had to be by way of standard contractual clauses. This is a set of standard contractual terms and conditions that the data sender and the data receiver had to enter into to ensure that the data being transferred was adequately protected. The UK GDPR has adopted standard contractual clauses so this position remains unchanged.
So is there anything businesses need to do?
Whilst the ICO has welcomed the interim arrangements, it continues to recommend that, during this grace period, businesses carry on working to identify any requirements to put in place alternative transfer mechanisms in respect of EEA-UK data flows to protect against any disruption to the flow of UK-EEA data, or in case the EU does not grant the UK an adequacy decision.
Businesses should also note that the interim arrangements set out in the UK-EU trade deal do not relieve businesses in either the UK or the EEA of their obligation to appoint an authorised representative where they provide services to or monitor behaviour of individuals in the EEA or UK respectively.
The ICO has been busy making examples of high profile companies who have breached data protection laws and issuing them with hefty fines, so now is a good time to health check your data protection compliance. Contact us for a free consultation to discuss how we can help you to understand what your HR and employment law related data protection obligations are, and how to ensure your business is compliant.