A Small Business Guide to Brexit Personal Data Compliance in 2021.

Here’s our no nonsense guide to GDPR and Brexit. What you need to think about, what you might need to do, and most importantly, how you can do things simply.

So Brexit has finally happened.

The UK has left the EU.

But what does that mean in terms of data compliance for your business, and what do you need to do to make sure you’re handling personal data correctly?

In this article, we’ll cover a summary of the changes you’ll need to make, who they apply to, and how to deal with them effectively, without pulling your hair out!

What’s It All About?

Now that the UK has left the EU, the personal information of any EU citizens that your business deals with is now officially deemed as being transferred from one jurisdiction (the EU) to another (the UK).

This movement of data between jurisdictions, known as international data transfers, applies to any business that deals with individuals (data subjects) in the EU, be they prospects, clients, customers, suppliers etc.

If your ‘data subjects’ are EU citizens and your business is based in the UK then your use of their data is now classed as a data transfer.

This means you will need to review and potentially update your records of processing and your policies, to comply with data transfer requirements.

In some instances, an EU DPO will also need to be appointed.

All of this will all be subject to further changes come June 2021 by which time the UK is expected to have received its adequacy decision from the EU.

It’s important to stay up to date with these regulatory changes as they unfold to ensure you don’t get caught out.

If you’re using PORT.im Privacy Centre your business will already benefit from automatic updates to records and policies meaning you have nothing to worry about.

What Are International Data Transfers?  

When the UK was a part of the EU, personal data could transfer freely between EU countries in accordance with GDPR. 

But now that the United Kingdom is out of the EU, data transfer requirements apply to the personal information of any EU citizens.

These people may be your customers, prospects, members, suppliers and so on.

International data transfers are simply the movement of individuals personal information in and out of the EU or between independent sovereign states.

For example, transferring UK citizens data to the United States is also an international data transfer and, as such, will need to be recorded in your Article 30 Records of Processing.

Not sure what Article 30 Records of Processing are? You can learn more here.

Now that the UK has left the EU, you may find you are transferring data in and out of the EU to sell your products and services or simply operate your business.

Whatever the purpose of your transfer of data, you will need to rely on the correct legal safeguards to do so, such as an adequacy decision or standard contractual clauses (SCC’s).

What is This EU ‘Adequacy Decision’?

The EU Commission can issue an adequacy decision regarding data protection in a non-EU country (for example the now defunct EU-US Privacy Shield).

Adequacy decisions are based on an assessment of whether the third country has appropriate legal safeguards for data protection equivalent to those in the EU.

The effect of an adequacy decision is to remove any barriers for data transfers from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further data protection requirement being necessary. 

Will the UK receive an EU adequacy decision? The answer is that it is highly likely that it will.

If this is the case then there is no further action required.

However, there is the possibility that politics will get in the way and the UK might not be awarded an adequacy decision.

What Are Standard Contract Clauses?

If you want to be doubly safe and if you receive personal data from the EEA, the ICO recommends that you put ‘alternative safeguards’ in place before the end of April, if you haven’t done so already.

Alternative safeguards, in effect, comes down to ‘standard contractual clauses’.

You can learn more about standard contractual clauses on the ICO website here.

However, the good news is that if you are using Privacy Centre you will be notified of all necessary changes. Your privacy and compliance documents will be updated automatically as and when needed.

What Are The Changes to Legislation?

The Government has announced that the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, for the next six months, until adequacy decisions are adopted.

This ‘bridge’ will allow businesses and public bodies to continue to freely receive data from the EU. 

The UK Government is seeking an adequacy decision from the European Commission.

In the absence of an adequacy decision at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer regulations.

What Do I Need To Do? 

If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, then these changes will likely not apply to you and so you may not have to anything.

UK businesses and organisations that receive personal data from contacts in the EU or EEA, will need to take extra steps to ensure that data can continue to flow if the 6 month bridge period ends without a positive adequacy decision.

The extra steps may entail inserting Standard Contractual Clauses (SCC’s) into your contracts that acknowledge the GDPR and individuals rights in accordance with the regulations.

Your policies should then reference these SCC’s for data transfers in and out of the EU.

If your business uses a Privacy Centre with smart data mapping tools these sorts of changes to policies and deployment will be highlighted automatically.

If not, it’s a good idea to keep an eye on the ICO site as staying on top of all the changes can be challenging and a time-consuming drain on resources.

If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, then you need to comply with both UK and EU data protection regulations.

This is no more difficult than complying with the GDPR as the GDPR has also been adopted into law in the UK. However, you may also need to designate a representative or DPO in the EEA.

Does It Apply To Me?

The changes to legislation apply to any organisation transferring the personal data of an EU individual in or outside of the EU.

There are a number of exemptions where the transfer of personal data can take place in absence of transfer mechanisms.

These are limited circumstances and include cases when:   

  • explicit consent is given by data subject;
  • the transfer is necessary for the conclusion or performance of the contract;  
  • there are important reasons of public interest;   
  • it is necessary to establish, exercise or defend legal claims;    
  • it is necessary for the vital interest of data subject or other persons;   
  • it involves public register data;

Do I Need to Appoint an EEA Representative or an EU DPO? 

If your data processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data, you may not have to appoint an EU DPO.

You may need to appoint an EU DPO if you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state.

If you either:

  • offer goods or services to individuals in the EEA; or
  • monitor the behaviour of individuals in the EEA,

Then you still need to comply with the EU GDPR regarding this processing.

If you do not have a base inside the EEA, the EU GDPR requires you to appoint a representative in the EEA.

This representative needs to be located in an EU or EEA state where the individuals whose personal data you are processing are located.  

You need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects, in this respect.

These measures can be expensive and impractical to implement, and so many businesses are turning to EU DPO services to fulfil these criteria.

If you think you may need an EU DPO service then contact us and we can help guide you as to whether you do or don’t, and how best to put a suitable arrangement in place.