The end of the transition period – what has changed?
The UK left the European Union on 31st January 2020 and entered a transition period, which ended on 31st December 2020. What does this mean for data protection and your business?
In short, the data protection principles set out in the EU General Data Protection Regulation (“EU GDPR”) and the Data Protection Act 2018 (“DPA”) will remain in place, with fundamental rights and obligations, such as accountability and transparency, continuing to apply. The EU GDPR is retained in domestic law and the “UK GDPR” sits alongside an amended version of the DPA.
The transfer of personal data by UK businesses to the European Economic Area (“EEA”) will remain largely unchanged and can continue without any additional protections being put in place. What may change is the basis on which UK businesses receive personal data from the EEA.
The UK and the EU agreed a four month “grace-period” from 1st January 2021, at the end of which the UK could be regarded as a “third country” under the EU GDPR. At the time of writing, the UK Government is seeking an adequacy decision from the European Commission, allowing the flow of personal data from the EEA to the UK to continue without any additional safeguards being required. In the absence of such adequacy decision, transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions.
This is a fast-moving area and the Information Commissioner’s Office (“ICO”) has confirmed it will keep its guidance under review and update it as the situation evolves.
What does this mean for my business?
If you are a UK-based business or organisation, and you transfer personal data to or from other countries (including European countries), you should consider the following steps:
What are Standard Contractual Clauses (SCCs)?
SCCs are pre-approved contractual clauses that can be used as an appropriate safeguard to comply with the restricted transfer rules under data protection legislation. In practice, they are a series of standard clauses forming a contract between the data exporter and the data importer for the purposes of transferring personal information. The data exporter gives the importer certain warranties and undertakings regarding the collection, processing and transferring of the data. In turn, the data importer offers assurances on having appropriate technical and organisational measures in place to protect the personal data.
Although the UK Government are hopeful of securing an adequacy decision from the European Commission, it is vital that you understand and rationalise your international data flows. You should open up a dialogue with entities in Europe from whom you receive personal data and prepare for the possibility of SCCs being required in the absence of an adequacy decision.
How we can help
Our team of data protection experts have a detailed understanding of this ever-evolving area of law so can ensure your business is compliant. To discuss the data protection challenges facing your business, please contact Ben Jackson at firstname.lastname@example.org or on 0191 232 8345.