How GDPR has changed since Brexit
Since the EU transition period ended last year, businesses have had to adapt to a long list of changes. Alongside import, export, and employment amends, enterprises need to ensure they comply with GDPR updates to handle data safely.
Many of us will remember when GDPR first came into force in 2018. Since then, and until 31st December 2020, companies had to be careful in how they process and protect data from their customers, in line with EU protocol. Not following GDPR practices has historically had unfavourable consequences.
However, with the UK now outside of the EU, there are some changes to what GDPR requirements businesses must follow, depending on who’s data they are processing.
Here, we have outlined the updates to GDPR following Brexit and how they may impact your operations.
- Does GDPR still apply?
- What is UK GDPR?
- Can I still send and receive data from the EU?
- What if I have EU customers?
Does GDPR still apply?
The answer is yes, GDPR still applies. Although GDPR rules were initially drafted and passed by the European Union, there is now UK GDPR which mirrors the EU version. These were converted into UK law on the 1st January 2021.
If you are a UK company, you must therefore abide by UK GDPR rules. This means that you will need to continue to follow the regulation regarding data protection for your customers.
What is UK GDPR?
UK GDPR follows similar principles to its EU counterpart, though there are some changes businesses must be aware of.
The first is who controls the GDPR rules. Previously, the EU dictated this, but it now is under the remit of the UK government. This means the UK has the powers to review and amend the regulatory rules as required. Any changes made will impact UK GDPR only.
There have been relatively few amendments made to data protection. Data protection exit regulations were created in 2019, ahead of the Brexit deadline, making some technical adjustments to GDPR law so they fit into a UK-only context.
The ICO, which upholds information rights in the UK and EU, will continue to oversee data protection.
Moving forward, you may need to alter your GDPR policies and processes to align with UK GDPR, including changing relevant documentation. This may include updating your privacy notices, data protection impact assessments, data subject access requests, and data flow documentation to reflect the UK as independent of the EU and represent the wording shown in the UK GPDR regulation.
You may also wish to train your staff so that they understand the changes to GDPR and incorporate them into their work.
Can I still send and receive data from the EU?
Under the UK-EU Trade and Co-operation Agreement, a free flow of personal data from the EU to the UK continued for a maximum of six months, which brings us to the end of June.
The UK is currently awaiting an adequacy ruling from the European Economic Area. This will determine whether the UK’s GDPR protocol is deemed adequate for EU data to be processed under it.
In draft decisions, the European Commission has stated the UK has an adequate level of protection compared to EU GPDR. The European Data Protection Board and an EU committee now need to decide whether to approve this decision. The adequacy ruling is expected by 30th June, in line with the deadline for the free flow of data under the UK-EU TCA.
If it passes the adequacy review, it will allow the free movement of data between the two sides. Data covered by an adequacy ruling will be classed as a restricted transfer due to each side using different GPDR rules.
Any decision is valid for four years, after which the ruling can be reassessed. If the UK’s security level is not found adequate after reassessment, it will be subject to additional to allow the exchange of personal data.
If, for any reason, an adequacy ruling brings an unfavourable result, there may be some additional requirements to facilitate the transfer of data. In this scenario, EU GDPR guidance will also apply for any data coming from the EU to the UK – meaning businesses handling it will need to have appropriate safeguarding measures in place.
It is worth noting that the government have already confirmed the transfer of data from the UK to EEA is already permitted, regardless of adequacy approval.
What if I have EU customers?
If you serve customers living in the EU and need to process their data, you will need to ensure you comply with EU GDPR when doing so, even if you are based in the UK.
To do this, you need to consider appointing a representative in the EU member states you will be receiving data from or identify a supervisory authority to guide you.
If you are receiving data from the EU or other approved ‘third countries’ (that is, those countries which have had their data protection deemed adequate by the EEA), you will need to have an appropriate transfer mechanism to send data. An example of this could include having Standard Contractual Clauses (SCCs) agreed with your EU counterparts, which will be the route most enterprises need to take. With this, a contract will be put in place between you and the other organisation, using EU terms. You can find out if this is the best practice for you using the ICO’s interactive tool, or if alternative provisions should be made.
GDPR can be a complex subject at the best of times, but understanding the changes you need to abide by now that we are no longer part of the EU is key to compliance. This will help you to continue to process data correctly, including data coming from the EU.
If you are unsure what GDPR information applies to you or want to keep ahead of any updates, especially as we await an adequacy ruling, the ICO is a valuable resource for in-depth information.
If you need support in adapting your operations following Brexit, whether concerning GDPR or any other aspect of your operations, we are here to help. Our team of advisors has expertise in various critical topics, so we can provide tailored guidance to your company based on your unique needs.