With the UK having left the EU on the 31st December 2020, there is a lot of confusion as to what the implications are of this for businesses in the UK. In this guide we will seek to outline what this means for your business, answer some frequently asked questions and detail some practical steps you can take to ensure you are compliant.
As part of the trade deal that the UK and the EU agreed to delay any transfer restrictions for at least four months which can be extended to six months (known as the bridge). During this period, the UK are seeking what is known as an ‘adequacy decision’ from the European Commission.
An adequacy decision is a finding from the European Commission that a third country or an international organization offers levels of data protection that are essentially equivalent to that within the EU. An adequacy decision permits cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorization from a national supervisory authority.
If the EEA decide that the UK offers the EU an adequate level of data protection, transfers of data between the UK and the EU will be assimilated into intra-EU transmission of data. In the absence of an adequacy decision at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions.
Furthermore, in the absence of a decision, data processed before 01 January 2021 will be subject to the EU GDPR as it stood on 31 December 2020 known as the ‘frozen GDPR’.
Either way, the UK government have committed to maintaining the high standards of the GDPR and the government has incorporated it into UK law (the UK GDPR) alongside the Data Protection Act 2018. The UK ICO has strongly recommended that businesses do not rely on an adequacy decision and move to put additional safeguards in place.
In the below guide, we have outlined your obligations based on three core scenarios for UK businesses and organizations that:
- Have no contacts or customers in Europe
- Send or receive data to or from Europe
- Have European presence or European customers
1. Have no contacts or customers in Europe
If you are a UK business or organisation that already complies with the GDPR and you have no contacts in the EEA who send you data, and no customers in the EEA, you do not need to do much to comply now that the Brexit transition period has ended. Going forward you will be subject to UK GDPR.
2. Send or receive data to or from Europe
If you send or receive personal data to the EU, you need to put processes & procedures in place to ensure you remain compliant. From the UK side, the UK government has stated that transfers to the EEA are not restricted, therefore, if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.
However, if a business or organisation in the EEA is sending you personal data, then it will still need to comply with EU data protection laws. Data can continue to flow whilst the bridge is in place. However, if there is no adequacy from the EU come April, you will need to put additional measures in place. In practice, you need to enter into SCCs (Standard Contractual Clauses) with and controllers or processors you work within the EU.
3. Have a European presence or European customers
If you already have a European presence or if you are a UK company that has European customers, you will need to comply with both the UK and EU data protection regulations.
If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. You need to find a provider in the EEA who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors.
Standard Contractual Clauses (SCCs)
SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR. In effect, your business is putting a contract in place with its controllers and processers agreeing to adhere to the high standards of data protection afforded by the GDPR. It is the EEA sender of the personal data which must comply with GDPR rules, but UK receivers may want to assist those senders in complying, to make sure data continues to flow if the transition period ends without adequacy.
The SCCs are a standard document – there is no need for you to create your own. Your business must simply choose the appropriate document (controller to controller or controller to processor), fill out the clause accordingly and have the relevant parties sign it.
Guidance to European representatives
If you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either:
- offer goods or services to individuals in the EEA; or
- monitor the behaviour of individuals in the EEA,
then you still need to comply with the EU GDPR regarding this processing.
As you do not have a base inside the EEA, the EU GDPR requires you to appoint a representative in an EU or EEA state. You need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
Your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.
The details of your EU representative must be included in your privacy notice and be easily accessible to supervisory authorities. Having a representative does not affect your own responsibility or liability under the EU GDPR.