The UK ceased to be a member state of the EU on 31 January 2020 and under the terms of the Withdrawal Agreement, a transition period was put in place until 31 December 2020. While we are still within the transition period, we have received several questions from organisations asking what they now need to do (if anything) from a data privacy perspective.
What’s the legal position?
The EU’s General Data Protection Regulation 2016 (“EU GDPR”) continues to apply to all organisations that process any personal data of EEA (“European Economic Area”) citizens (irrespective of where the organisation is based). The EEA includes EU countries as well as Iceland, Liechtenstein and Norway.
The UK has now put in place a default position that is to apply to the UK after 31 December 2020 through the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"). The UK GDPR amends the UK’s Data Protection Act 2018 and merges it with requirements of the EU GDPR to form a data protection regime that will apply after the transition period. There are, however, certain steps that organisations will need to do to ensure compliance with the EU GDPR and the UK GDPR.
What do organisations need to do?
If your organisation has or intends on processing any personal data of EEA citizens (including your employees, customers or your suppliers), you should think about the following:
1. for larger organisations, or those for which personal data is core to your business, ensure all relevant staff are trained and up to date with the changes so they know what is needed.
2. for others – send a note around your company, perhaps based on something like this note, so people are aware of the changes to rules on data privacy and know when to seek further advice.
3. review your data register to identify what type of data you are processing – if any of it is of EEA citizens and is transferred to the UK, you will need to put in place measures to allow you to do this.
4. check whether there is an “adequacy decision” from the EU. If this is the case, you will be able to transfer personal data to the UK. If not or at least until such a decision is made, you will need to follow points 5 and/or 6 below, although it may be a good idea to do that anyway.
5. if you have group companies based in the EEA, you can put in place binding corporate rules between them and your UK entity to allow for data to be transferred to the UK.
6. if you don’t have a group company in the EEA put in place appropriate safeguards (such as the standard contractual clauses) for when you transfer any data from the EEA into the UK (otherwise it may not be a lawful transfer of data).
7. designate a local representative within the EEA to be the point of contact for EEA citizens in respect of their data protection matters (as you will need a representative if you do not have a branch/office within an EEA country).
8. register and/or appoint a data protection supervisory authority as your “lead” authority for data privacy matters within the EEA (as the UK’s Information Commissioner’s Office would only be your data protection supervisory authority for data on UK citizens).
9. update the privacy notice/policy on your website and in your staff handbook to refer to the above as may be applicable.
10. check references in your existing contracts that refer to the transfer of personal data to make sure they reflect these changes and still make sense.
At Aria Grace Law, we can assist you in identifying which steps above apply to you and how to go about ensuring compliance. If you would like to find out more, please contact us on firstname.lastname@example.org
Privacy Update by Nick Gould, Lindsay Healy, Alyson Jackson and Puja Modha, Partners at Aria Grace Law 16.11.2020