A glimpse into ESG

by | Apr 16, 2021

Brexit & Data Privacy Advice

We are delighted to provide you with a copy of your complimentary Brexit & Data Privacy Advice – by Aria Grace Law

1. Introduction

On 31 December 2020 the Brexit transition period ended, and the provisions of the UK-EU Trade and Co-operation Agreement will take effect. Chapter 7 of the Final Provisions of the Co-operation Agreement provides for the continued free flow of personal data from the EU and EEA/EFTA States to the UK until adequacy decisions are adopted, and for no longer than 6 months.

This is great news and a lucky break, as our research has shown that UK companies, by and large, would simply have failed in their duties under the GDPR, which clearly would have had a massive impact on their ability to trade.  So:

  • For the moment, the UK is not what is termed a “third country” under EU data protection law.
  • The UK will amend the EU GDPR into UK law via the European Union (Withdrawal) Act 2018 and then become the UK GDPR.
  • The UK GDPR will be amended by secondary legislation, The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 to make it reflect UK law, and replace references to the EU with the UK.

This is the period which ran from exit day until 31 December 2020.

2. Introduction

In the next few months, and time is short, you must do the following:

a) Make sure you know where your data subjects are located and where their personal data is stored.

b) Undertake an assessment to determine whether your business will be subject to the UK GDPR and/or the EU GDPR.

c) Include a data export mechanism in contracts with third parties for exporting data from the UK to non-EEA countries and to countries not deemed adequate by the European Commission. The data export mechanism, such as the Standard Contractual Clauses (“SCC”), will also require due diligence in relation to the importing company and the wider data protection laws of the country in which they operate.

d) Contracts will need to be updated to reflect the UK legislation that applies to the processing of personal data.

e) Amend breach notification procedures. If UK law applies, then, where required, personal data breaches would have to be reported to the Information Commissioner’s Office (“ICO”). Where organisations are operating across EU, and are affected by the personal data breach, then breach reports would also have to be made to the EU lead authority, in addition to the ICO.

f) The ICO will no longer be able to serve as a lead authority for the approval of Binding Corporate Rules (“BCRs”) across EU member states.  Where the ICO is the lead authority for existing BCRs this would need to be transferred to an EU regulator.  Approval of BCRs will be required by both the ICO and an EU supervisory authority where both UK and EU law apply. However, the ICO will not be able to approve BCRs for six months, or until a decision on adequacy has been made.

g) Consider whether you need to appoint a UK and/or EU representative. Where an organisation based outside of the EU currently appoints a representative within the EU, it would require a representative within both the UK and within the EU where both UK and EU law apply.

h) Amend any existing One-Stop-Shop arrangements. Controllers and processors that carry out processing which impacts individuals in more than one EU or EEA state may only need to deal with a single EEA data protection regulatory authority.  In the event that the UK does not receive an adequacy decision and where processing in the UK is not likely to substantially affect individuals in any other EU or EEA state, then the One-Stop-Shop and lead authority arrangements will cease to apply, and an organisation will deal only with the ICO. Where you are subject to both UK and EU data protection laws in the processing of personal data you will have to deal with both the ICO and the lead supervisory authority within the EU/EEA where you have a lead authority.

i) Amend internal policies and external notices to refer to UK GDPR (and/or EU GDPR, as appropriate).

j) If there is no adequacy decision in the next 4-6 months, then organisations will need to ensure the following: Exports from the EU to the UK will require a data export solution as per current rules under GDPR for personal data exports to third countries, such as the SCC or a derogation. The privacy notices of EU exporters need to provide information on this transfer and the mechanism for the transfer as per existing rules under the GDPR.

There is a lot to do, and we would like to help – we have a huge privacy law pedigree acting for SMEs, large and listed institutions as well as one of the world’s largest legal services providers, implementing programmes and technologies to help deliver brilliant and cost-effective GDPR and privacy solutions.