Data Protection and Brexit
June 2nd, 2020
Understanding Brexit and Data Protection and its impact on small and medium sized businesses is vital to our communities which are the lifeblood of the UK economy.
In this blog, we focus on what SME’s and sports clubs need to think about to address the changes coming down the line, once we are exit lockdown.
As most organisations know, the United Kingdom left the European Union on 31st January 2020.
We are now operating under the terms of the Withdrawal Agreement between the UK and the EU. This agreement runs until 31st December 2020.
Unless there is an extension, the UK will either leave the EU with a Free Trade Agreement. Or we may leave the EU without a deal.
Changes are coming
The changes to data protection need not be onerous, but they cannot be ignored. Knowing your data is absolutely fundamental.
Many businesses have been forced into new working conditions as a result of the Coronavirus pandemic.
However, businesses still require to comply with UK law on data protection while employees work from home.
During the transition period, the UK is required to follow the UK Data Protection Act 2018 & EU General Data Protection Regulations.
The UK government is in discussions with the European Commission. There are businesses on both sides of the channel, who would like continued free flow of personal data after the transition period ends.
Negotiations on what the future relationship between the UK and the EU will look like are underway. It may be some time before businesses understand what that relationship will be and what it might mean for data protection.
At Data Protection 4 Business, we believe that the preparation and analysis for most scenarios regarding data protection, remains the same.
So we are going to outline the pragmatic steps your business can take now.
Data Protection – our scenario?
Our assumption is that a UK/EU trade deal can be agreed at the EU level without individual EU member state ratification. However, we believe it is unlikely that this will include regulatory alignment for data protection.
This means the UK may become a ‘third county’ with regard to the EU GDPR on 1st January 2021.
Why? Well, it takes time for an ‘adequacy decision’ to be processed by the EU. Often this takes more than two years.
It follows then, that an adequacy decision could not be made within the current timeframe of the Transition period. Equally, an extension to the transition period is not guaranteed.
Third country status
A ‘third country’ status means that the UK is not recognised by the EU as having ‘adequate’ data protection standards in place.
For those of you paying attention, it is perhaps an irony that on 31st December 2020 the UK will be adequate. However, on the 1st January 2021, the UK may not be adequate!
What you need to think about
Organisations based in the UK, should be analysing their business to ensure there no barriers to processing personal data.
It is useful to start with these questions.
- Does your business directly offer services to individuals in the EU?
- Does your business process data of individuals from the EU?
- Has your business mapped the data transfers involving personal data? If so, do you know the lawful basis for the processing?
- Does your business outsource services to data processors based outside the UK? Are they based in or outside the EU?
- Has your business listed all the companies used for outsourced services? If so, do you know where the data is stored?
- Does your business have a list of companies with whom data is shared, but who do not fall into the ‘outsourced services’ category?
If your business has a significant EU or global offering, then you may need to consider if you have to appoint a representative. This could be a representative in the EU or a representative in the UK or both!
Equally, it is likely that UK and EU data protection regulations will diverge over the coming years. So, it may be easier to outsource the Data Protection Officer role.
In short, changes are coming even if there is an extension to the transition period.
Take control of your preparations
Consider working with a data protection professional. Subscribe to information sources from the UK Information Commissioner (www.ico.org.uk). Alternatively, you can follow our updates by subscribing to our newsletter.