Currently, the EU General Data Protection Regulation (EU GDPR) is the primary legislation that governs the use of data in the UK.
The Government have already stated that upon the end of the transition period, from 1st January 2021, the EU GDPR will be incorporated into the UK law to create a new UK GDPR. Together with the Data Protection Act 2018, this will become the UK’s primary data protection legislation.
Businesses exporting goods or services to the EU will be subject to both the EU and UK GDPR and should ensure compliance with both sets of regulations.
UK to EU transfers
The transfer of data from the UK to the EU, will remain unaffected as the UK GDPR currently recognises all EU states as having ‘adequate’ data laws meaning that data will be able to freely travel from the UK to the EU without the need for any further adjustments being made.
Moreover, the UK GDPR also recognises every country that has been declared as adequate by the EU, as adequate for UK purposes, which includes countries like Japan and New Zealand. Business therefore do not need to take any action in relation to any personal data being transferred from the UK to EEA member states and those counties already declared adequate by the EU.
Transfers to any other countries will require some form of transfer mechanism and the UK is likely to start working on this upon the end of the transition period.
EU to UK transfers
In order for EU data to safely and freely transfer to the UK without further restrictions, the EU needs to declare that the UK is adequate for data protection purposes.
However, the EU are yet to make this declaration and are still conducting an assessment of the UK’s data protection regime. The rules that will apply to transfers of personal data from the EU to the UK are therefore still unclear.
If the EU does not make an ‘adequacy’ declaration, the UK will be considered to be a third country by the EU from the 1st January 2021 and additional measures will need to be put in place to legitimise and regulate the transfer of data from the EU to UK for example, the Standard Contractual Clauses approved by the European Commission will need to be incorporated into contracts to adequately safeguard the transfer of data.
Steps businesses should take
Businesses should therefore prepare for the potential consequences of Brexit. This means preparing to put in place any transfer measures that may be required if the UK does not receive an adequacy decision from the EU in order to safeguard the transfer of personal data, such as the execution of the Standard Contractual Clauses mentioned above.
Organisations will also need to update their existing contracts and data protection documentation such as privacy notices, to clarify that the UK is no longer an EU member state and the EU GDPR no longer has direct effect in the UK and has been replaced by the UK GDPR.
Moreover, businesses should consider whether they need to appoint new data representatives in the respective regions for compliance purposes.
We at Berry Smith, have a team that specialises in data protection and are already advising our clients in relation to the implications of Brexit. We can help you identify, understand and appropriately manage the risks and challenges posed by Brexit on your contracting arrangements.
Therefore, for further information or assistance, please contact Dan Dowen at firstname.lastname@example.org or alternatively please call 029 20 345511 and ask the commercial team.