In May 2018, the General Data Protection Regulation (GDPR) came into force. The GDPR represented a huge overhaul of data protection laws with its purpose being to provide individuals with greater levels of protection for their personal data.
As a member of the European Union, the United Kingdom was obliged to adopt the GDPR. However, since then, the UK has left the EU and is now coming to the end of the transition period for Brexit, which will have a potentially significant impact on the use and transfer of personal data after 1 January 2021.
During the transition period, the GDPR continues to apply in the UK and it sits alongside the Data Protection Act 2018 (DPA 2018) – the UK’s own version of the GDPR – and the two should be read in conjunction with one another.
When the transition period finishes, the GDPR will become part of the new body of retained EU law, as will parts of the DPA 2018. This is to harmonise the data protection legislation within the EU and UK as much as possible to avoid a divergence which could prevent the transfer of personal data.
Could EU GDPR Still Affect UK Businesses?
The retained GDPR and DPA 2018 will become known as the “UK GDPR” which will create a single UK data protection regime. In the future, changes to the EU GDPR will not automatically be incorporated into the UK GDPR and the choice of whether or not to adopt the changes would rest with the UK Parliament.
This is not to say that the EU GDPR will cease to have any effect in the UK or to UK-based businesses entirely. The EU GDPR will have an extra-territorial effect, meaning that if a UK business has an establishment in the EU, or it offers goods and services to individuals within the EU, and it processes or controls data of EU citizens, then these organisations may find themselves subject to parallel data protection regimes under the UK GDPR and the EU GDPR.
Impact on Cross Border Transfers
Under the GDPR, the transfer of personal data to a country outside the EU is only permitted if the controller and processor comply with certain conditions as set out in the GDPR. These conditions include the European Commission making an “adequacy finding”, in which the country that the party receiving the personal data is based in provides an adequate level of protection. Should there not be an adequacy finding, then the parties must ensure that there are appropriate safeguards in place so that data subjects can enforce their rights and have effective legal remedies.
When the Brexit transition period ends on 1 January 2021, the UK will become a third party under the EU GDPR. The European Commission is currently in the process of assessing the UK’s data protection regime and considering its adequacy but as yet there is no indication of when this will be concluded.
If no adequacy finding is made before the end of the transition period, then by default the UK will become a third party without an adequacy finding and for data imported to the UK from the EU, the GDPR will continue to apply to the exporter. This means that businesses based in the EU will have to identify a legal basis for any transfers of personal data to UK organisations. Appropriate safeguards would have to be implemented for any import of personal data from the EU to the UK. The EU’s standard contractual clauses (SCCs) are likely to be the most appropriate safeguard for most small and medium –sized businesses. These are a set of EU-approved standard of contractual terms and conditions which the sender and the receiver of the personal data both sign up to.
Where data will be passed the other way and exported from the UK to the EU, this can continue without additional protections in place. This is because EU countries will be deemed by the UK to have an adequate level of data protection. Therefore, UK-based businesses can continue to transfer personal data into the EU without the need to have the SCCs in place.
Businesses Affected by Both UK and EU GDPR
However, as mentioned above, some UK businesses could potentially find themselves subject to both UK GDPR and EU GDPR.
A UK based business will need to comply with the EU GDPR if it does not have a branch or office established in the EU, but it either (a) offers goods and services to individuals in the EU, or (b) monitors the behaviour of individuals in the EU.
If either (a) or (b) apply then the UK-based business will be either the controller or processor of personal data of EU citizens and EU GDPR will apply regarding this processing even after the end of the transition period.
The EU GDPR requires all processors without an established office in the EU to appoint an EU representative. This representative will be appointed to act on behalf of the UK business regarding its EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
There is an exception to this if the processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data. However, ‘occasional’ should be taken to mean processing that is out of the normal course of business and not carried out on a regular basis.
UK businesses should be preparing now for the changes detailed above. Consideration should be given to whether the EU GDPR will continue to apply to the business after the end of the transition period and what safeguards are in place for data being imported into the UK.
If you would like further assistance on general data protection regulations, or have a corporate related enquiry, please contact Matthew Canfield, Solicitor, on 01244 305984 or email [email protected].