The United Kingdom (UK) left the European Union (EU) in January 2020. Since then, the UK has been in a transition period which expires at the end of December 2020. Whatever new arrangements are put into place (i.e. deal or no deal) there is an impact on how UK and EU based organisations comply with data protection legislation.
What is the legal position as it stands?
The General Data Protection Regulation (GDPR) came into force into UK law in May 2018. This version of GDPR effectively became the Data Protection Act 2018. Until we complete the transition, we are still being treated as an EU country and as a result nothing really has changed until this transition period ends.
However, from the 1st January 2021 the reality is that the vast majority of organisations will become none compliant with Data Protection Law.
What is going to change after the transition?
The reality of this is that the full impact is not clear yet. However we can be confident that in any scenario all UK businesses are going to have to do a complete review of their data protection status.
The rationale behind this view is as follows:
- The legal requirements for data transfers will change – We will no longer be in the EU and therefore a revision of personal data transfers between the UK, the EU and other countries e.g. the US will be needed. The likelihood is that current transfer arrangements may no longer be legally compliant and also new transfers will need to be properly accounted for. For example, where UK data transferred outside of the UK and where EU citizens data is processed outside of the EU, i.e. the UK or US etc.
- EU Representatives may be required – If you are a UK based organisations that processes EU citizens data there is a strong likelihood that you will need to appoint an EU Representative in that country within the EU to represent you for data protection matters.
- UK Representatives may be required – If you are an EU based organisations and process UK citizens data then there will be a need to appoint a UK based Representative to represent the organisations for your data protection matters in the UK.
What is the impact of these changes?
The simple impact is that most organisations if they don’t react to the change in circumstances will be breaking the law post the end of the transition period. In the UK we believe that some additional time will be given by the Information Commissioners Office (ICO) to organisations to review their position and put the necessary changes into place. This is likely to be limited, probably about 6 months. After that, they will consider this a breach of the law and will likely act accordingly. (Note – this is only our opinion and they may enforce the changes immediately).
What do we advise?
The minimum requirement for all organisations is as follows:
- Complete a full risk assessment of the data transfers based upon the end of the transition period, this will advise you on what actually will be required to comply with the Data Protection Act 2018 (i.e. new UK-GDPR)
- Assess the requirements for appointing Representatives if this is needed
- Develop the necessary Standard Contractual Clauses needed to legalise the data transfers and implement the necessary contractual adjustments as required
How can we assist?
We can undertake the necessary consultancy to bridge the gap based upon a deal or no deal scenario. Please contact us for more details.