Brexit and Data Protection Update

Understanding Brexit and Data Protection and its impact on small and medium sized businesses is vital to our communities which are the lifeblood of the UK economy.

In this blog, we focus on what SME’s and sports clubs need to think about to address the changes coming down the line, once we are exit lockdown.

Transition period

As most organisations know, the United Kingdom left the European Union on 31st January 2020.

We are now operating under the terms of the Withdrawal Agreement between the UK and the EU. This agreement runs until 31st December 2020.

Now it is clear there will be no extension, the UK will either leave the EU with a Free Trade Agreement. Or we may leave the EU without a deal.

Changes are coming

The changes to data protection need not be onerous, but they cannot be ignored. Knowing your data, technology and data flows are absolutely fundamental.

Many businesses have been forced into new working conditions as a result of the Coronavirus pandemic.

During the transition period, the UK is required to follow the UK Data Protection Act 2018 & EU General Data Protection Regulations.

Future relationship

The UK government is in discussions with the European Commission. There are businesses on both sides of the channel, who would like continued free flow of personal data after the transition period ends.

Negotiations on what the future relationship between the UK and the EU will look like are underway. It may be some time before businesses understand what that relationship will be and what it might mean for data protection.

At Data Protection 4 Business, we believe that the preparation and analysis for most scenarios regarding data protection, remains the same.

So we are going to outline the pragmatic steps your business can take now.

Data Protection – our scenario?

Our assumption is that a UK/EU trade deal can be agreed at the EU level without individual EU member state ratification. However, we believe it is unlikely that this will include regulatory alignment for data protection.

This means the UK may become a ‘third county’ with regard to the EU GDPR on 1st January 2021.

Why? Well, it takes time for an ‘adequacy decision’ to be processed by the EU. Often this takes more than two years.

It follows then, that an adequacy decision could not be made within the current timeframe of the Transition period now confirmed as ending on 31st December 2020.

Third country status

A ‘third country’ status means that a country is not recognised by the EU as having ‘adequate’ data protection standards in place.

Without an adequacy decision from the EU to the UK, the UK will become a ‘third country’ from a data protection perspective on 1 st January 2021, despite having passed into UK law the GDPR in 2018.

For those of you paying attention, it is perhaps an irony that on 31st December 2020 the UK will be adequate.

However, on the 1st January 2021, the UK may not be adequate!

What businesses need to think about

Organisations based in the UK, should be analysing their business to ensure there no barriers to processing personal data.

Businesses need to be able to answer these questions:

Does your business directly offer services to individuals in the EU?

Does your business process data of individuals from the EU?

Has your business mapped the data transfers involving personal data? If so, do you know the lawful basis for the processing?

Does your business outsource services to data processors based outside the UK? Are they based in or outside the EU?

Has your business listed all the companies used for outsourced services? If so, do you know where the data is stored?

Does your business have a list of companies with whom data is shared, but who do not fall into the ‘outsourced services’ category?

If your business has a significant EU or global offering, then you may need to consider if you need to appoint a representative. This could be a representative in the EU or a representative in the UK or both!

It is likely that some contractual changes will be required depending on your data flows, where data is stored and by whom.

Looking ahead

It is likely that UK and EU data protection regulations will diverge over the coming years. So, consider working with a data protection consultancy or professional.

Subscribe to information sources from the UK Information Commissioner (www.ico.org.uk). Alternatively, you can follow our updates by subscribing to our newsletter.