As we approach the second anniversary of Brexit, we thought that now is an ideal time to recap post-Brexit GDPR compliance requirements.
There have been several developments since the UK left the EU. For example, the UK was granted Adequacy by the EU, and the EU and ICO have created new contractual clauses to be used when transferring personal data between countries.
We outline all you need to know about the changes to GDPR post-Brexit.
What is the UK GDPR?
The General Data Protection Regulations (GDPR) gives rights to individuals and their personal data. This, in turn, means that organisations bear a regulatory burden and have obligations and responsibilities to make sure that the personal data they hold is protected.
The individuals should be provided with more transparent information about how and why the data is held, informing them of their rights over their data. Also, it should be ensured the organisation has adequate security for protecting that data.
Organisations must also have in place and maintain a process on how to identify, assess and deal with any breaches of the security of that personal data.
GDPR changes after Brexit
During the Brexit transition period, from January 2020 to 1 January 2020 (EU Exit Day), the GDPR applied to UK organisations as it had done since its implementation in May 2018.
As with many other EU laws, the principles and regulations of the GDPR were transposed into what is now known as the UK GDPR. From Brexit Day, the EU GDPR ceased to apply to UK personal data; however, it continues to apply to EU personal data processed by UK-based organisations.
UK organisations that process personal data from an EU/EEA Member State must comply with EU GDPR principles, the UK GDPR, and the Data Protection Act 2018 (DPA 2018).
EU-based organisations processing UK personal data must observe both UK GDPR and EU GDPR.
Has the UK been granted Adequacy?
If the EU grants another country Adequacy, it means that, following extensive investigation and consideration, the EU Commission has decided that a particular nation’s data protection laws are ‘adequate’.
Therefore, additional safeguards are not required when sending personal data to and from an EU State.
Adequacy was granted to the UK in June 2021. However, it can be withdrawn if the European Union perceives that the UK law enacts data protection and privacy laws that move it too far from the EU GDPR.
Do I need to appoint an EU/EEA-based representative?
The Information Commissioner's Office (ICO) is no longer the Lead Supervisory Authority (LSA) concerning data protection matters for all UK companies.
Before Brexit, if a company suffered a data breach, the ICO took control, and the company didn’t need to contact supervising authorities in the other EU/EEA Member States.
Businesses that process data from EU/EEA data subjects and do not have an office or other form of base in an EU/EEA Member State must appoint a representative.
The GDPR personal representative requirement applies to organisations that
- provide products or services in the EU or
- monitors the behaviour of individuals located in the EEA
A GDPR representative can be an individual or company (such as a lawyer or GDPR consultant).
They must be based in a Member State where some of the organisation's data subjects are situated. The appointment needs to be made in writing with the relationship detailed:
- The representative must be set up in an EU or EEA state where some people whose personal data the organisation is processing are located
- The appointed representative (an individual or a company) must be your main contact for any questions and concerns regarding data protection from any EU citizen or any data protection supervisory authority
- Your representative must be authorised via a written service agreement which sets out the terms of your relationship with them
- You should appoint the representative to act on your behalf on your EU GDPR compliance matters and to deal with any supervisory authorities or data subjects in this respect
- You must inform the affected EEA-based individuals and provide them with the details of the representative. This may be done by including information in your privacy notice or in the upfront information you provide to individuals when their data is collected
- This information must also be easily available to the relevant supervisory authorities – i.e. by publishing details on your website
As the representative is the face of a company’s compliance in the EU, care must be taken in choosing a suitable person or company to fill the position. When deciding which is right for you, you should consider the most suitable jurisdiction.
The GDPR only requires one representative to be appointed in a member state where the customers are based, given the differences between each EU country’s interpretation of the GDPR processes and cultural differences between the various nations.
You may want to consider appointing several representatives if this is economically feasible for you.
Suppose you fail to appoint a representative and provide details of the appointment in your customer-facing privacy notice. In that case, it is immediately apparent that you are not meeting your duties under Article 27.
This is a red flag that you may have other incidents of potential non-compliance elsewhere. Whereas, if you comply with Article 27 and provide details of your representative, this shows that you are taking GDPR compliance seriously.
What are the compliance requirements when transferring data?
In June 2021, the European Commission approved a new set of Standard Contractual Clauses (SCCs) with safeguards to permit international data transfers. The UK Government disapproved of the SCCs.
Businesses that are transferring data to the European Union or other countries that have been granted adequacy were required to continue using the previous version of the clauses to comply with Article 46 of the GDPR.
Following widespread consultation, the ICO created the template international data transfer agreement (IDTA) and the template international data transfer addendum to the EU’s SCCs (the Addendum).
Together these form the UK version of the new EU SCCs. Following Parliamentary approval, the IDTA and the Addendum came into force on 21 March 2022.
What are the penalties for non-compliance?
There may be significant fines and penalties for organisations that breach GDPR (depending on the nature of the incident).
For administrative breaches, the fines may be up to £8m or 2% of a company’s global turnover (whichever is higher), and fines for more significant incidents of up to £17m or 4% of global annual turnover.
Not only does a data breach involve the risk of large GDPR fines, but organisations under ICO investigations face high legal costs and loss of trust from customers, potential investors, and commercial partners.
How is the GDPR applicable in the UK post-Brexit?
Data protection and privacy compliance measures are ongoing commitments. A surefire way to accidentally commit a UK GDPR breach is to rely on the compliance measures you put in place almost two years ago.
To protect your business, the data it holds and be post-Brexit complaint you can take the following five steps:
1. Map data flows to and from the EU/EEA to identify what compliance steps need to be taken. In turn, data flows within the UK should be regularly mapped to ensure that if a breach occurs or a SAR is made, you can swiftly isolate the data affected/required.
2. Check if you need to appoint an EU/EEA-based representative and put one in place if necessary.
3. Identify if an EU supervising authority qualifies as a relevant LSA for your business’ data transactions.
4. Amend existing contracts and template terms to include relevant data transfer wording and appropriate referencing to the UK and EU GDPR.
5. Implement the new SCCs, IDTA and the Addendum to ensure that data transfers are compliant.
What is the Data Protection and Digital Information Bill?
A new Data Protection and Digital Information Bill (No.2), covers several data protection issues, ranging from the definition of personal data to international data transfers, data subject access requests, cookies and legitimate interest assessments.
The Bill will remove the need for some businesses to recruit a Data Protection Officer (DPO) and run Data Protection Impact Assessments (DPIA) if they can effectively manage data protection and privacy risks themselves.
Get legal assistance from LawBite
Our expert data protection lawyers have helped thousands of businesses with GDPR compliance. They can provide legal advice to your business to ensure that your documents and contracts are appropriate, robust and in line with UK GDPR.
We’ve also created GDPR-specific service packages that can support you at different stages of your GDPR journey. To find out how we can help your business, book a free 15 minute consultation or call us on 020 3808 8314.