[Commercial] Brexit Update – Data Protection
The end of the transition period is now just over a month away and this means time is running out for businesses to make arrangements for a no deal scenario (which remains a distinct possibility). One key area businesses should think about now is data protection.
From 11pm on 31 December 2020, the UK will incorporate a UK version of the GDPR into domestic law which will be very similar to the EU GDPR. There will then be two versions of the GDPR, the EU GDPR and the UK GDPR, both of which will have extra-territorial impact (i.e. they will apply outside the EU and the UK respectively). This means businesses that have not already made arrangements for data post-Brexit, should do so now. The first step is to think about your operations and data flows. Some key points to consider are outlined below.
1. Data flows between the EU and the UK
At the end of the transition period, the UK will become a third country for EU GDPR purposes. This will affect businesses which receive data from the EU other than directly from consumers. In order to continue receiving data, one of the following will be required:
a. a UK adequacy decision. If obtained, this will allow the free flow of data from the EU to the UK. However, given the limited time between now and the end of the year, it seems unlikely that the EU will adopt an adequacy decision in respect of the UK in time for the end of the transition period.
b. a data transfer mechanism - for most businesses, this is likely to be standard contractual clauses. If SCCs are to be relied upon, they should be put in place by the end of the transition period.
Another issue to consider is whether it is necessary to appoint a representative in the EU or the UK. Businesses will be required to appoint a representative unless they are only occasionally processing data and they do not process special category or criminal data on a large scale.
For businesses established in the UK, an EU based representative may need to be appointed and vice versa.
You should review your privacy information/documentation and make any necessary changes.
This will involve revising references to applicable legislation and setting out the details of transfers between the EU and the UK. Records of processing should also be amended to cover any new arrangements.
4. Supervisory authority
You should review whether a lead supervisory authority will apply and if you can still benefit from a ‘one stop shop’.
We have prepared checklists for businesses to use to help them to identify what steps they need to take. If you would like a checklist, please contact the corporate/commercial department at 3CS.
To keep up to date with the latest news concerning Legal and HR matters, please subscribe to our free newsletters: