Further to our recent GDPR updates, which are available at here and here, this note addresses some common questions regarding the applicability of the EU GDPR regime insofar as it applies to UK businesses following Brexit.
What data protection legislation applies to UK businesses?
UK businesses, following the UK’s exit from the EU, will now be subject to the retained EU law version of the EU GDPR ((EU) 2016/679) (the ‘UK GDPR’), together with the Data Protection Act 2018. The UK GDPR will work in a very similar way to the EU GDPR so businesses should continue to make sure that they comply with the UK GDPR in the same way as with the EU GDPR.
When will the EU GDPR apply to UK businesses?
The EU GDPR will continue to have extraterritorial effect. This means that it will apply to some UK businesses, even where they do not have premises in the EU. Businesses that will be subject to the EU GDPR are those that:
1. have an establishment in the EU; or
2. offer goods or services to, or monitor the behaviour of, EU data subjects.
In respect of offering goods or services, this will apply if there is an intention to offer goods or services to individuals in the EU. To determine if there is an intention, it is necessary to take a number of factors into consideration. Examples of such factors include if goods are offered for delivery to the EU and if an EU language or currency is referred to. Data processors may also need to consider whether the activities of their data controllers bring the processor within the scope of the EU GDPR (i.e. where the controller is subject to the EU GDPR).
The effect of this is that some UK businesses will be subject to both the EU GDPR and the UK GDPR. For those businesses that are subject to the EU GDPR, this does not mean that all data will fall under the EU GDPR, but that different data will be subject to different regimes.
Why is it important to know if both regimes apply?
Businesses that are subject to the EU GDPR will have to make sure that they continue to comply with the EU GDPR in relation to that data. In particular, those that do not have an establishment in the EU will have to appoint an EU representative.
If you are not sure whether your business will be subject to the EU GDPR in addition to the UK GDPR, it is a good idea to start by mapping out the data you hold so that you are able to identify which data could fall under the EU GDPR. Whilst the UK GDPR and the EU GDPR will work in similar ways, businesses that are subject to both regimes will have additional considerations and so it is a good time to review your GDPR compliance generally, or to carry out an audit.
If you would like assistance with determining which regimes apply, or if you have any questions regarding data protection generally, please contact the corporate/commercial department or your usual 3CS contact.