Brexit – What to do next?

The United Kingdom (UK) left the European Union (EU) in January 2020. Since then, the UK has been in a transition period which expires at the end of December 2020. Whatever new arrangements are put into place (i.e. deal or no deal) there is an impact on how UK and EU based organisations comply with data protection legislation.

What is the legal position as it stands?

The General Data Protection Regulation (GDPR) came into force into UK law in May 2018. This version of GDPR effectively became the Data Protection Act 2018. Until we complete the transition, we are still being treated as an EU country and as a result nothing really has changed until this transition period ends.

However, from the 1st January 2021 the reality is that the vast majority of organisations will become none compliant with Data Protection Law.

Organisations have to plan to remain compliant with Data Protection Law.

What is going to change after the transition?

The reality of this is that the full impact is not clear yet. However we can be confident that in any scenario all UK businesses are going to have to do a complete review of their data protection status.

The rationale behind this view is as follows:

  • The legal requirements for data transfers will change – We will no longer be in the EU and therefore a revision of personal data transfers between the UK, the EU and other countries e.g. the US will be needed. The likelihood is that current transfer arrangements may no longer be legally compliant and also new transfers will need to be properly accounted for. For example, where UK data transferred outside of the UK and where EU citizens data is processed outside of the EU, i.e. the UK or US etc.
  • EU Representatives may be required – If you are a UK based organisations that processes EU citizens data there is a strong likelihood that you will need to appoint an EU Representative in that country within the EU to represent you for data protection matters.
  • UK Representatives may be required – If you are an EU based organisations and process UK citizens data then there will be a need to appoint a UK based Representative to represent the organisations for your data protection matters in the UK.

What is the impact of these changes?

The simple impact is that most organisations if they don’t react to the change in circumstances will be breaking the law post the end of the transition period. In the UK we believe that some additional time will be given by the Information Commissioners Office (ICO) to organisations to review their position and put the necessary changes into place. This is likely to be limited, probably about 6 months. After that, they will consider this a breach of the law and will likely act accordingly. (Note – this is only our opinion and they may enforce the changes immediately).

What do we advise?

The minimum requirement for all organisations is as follows:

  • Complete a full risk assessment of the data transfers based upon the end of the transition period, this will advise you on what actually will be required to comply with the Data Protection Act 2018 (i.e. new UK-GDPR)
  • Assess the requirements for appointing Representatives if this is needed
  • Develop the necessary Standard Contractual Clauses needed to legalise the data transfers and implement the necessary contractual adjustments as required

How can we assist?

We can undertake the necessary consultancy to bridge the gap based upon a deal or no deal scenario. Please contact us for more details.

The DPO Dilemma

Do I need to engage a DPO or not? This question remains challenging for many organisations to answer.

What does the GDPR state?

In terms of the regulation the requirement for a DPO is based upon the following criteria:

  • you are a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

However, we feel that this criteria remains confusingly ambiguous for example:

  1. what is meant by large scale?
  2. what is regular in terms of the monitoring of Data Subjects?

This ambiguity is resulting in most organisations opting to ignore the requirement and avoiding the engagement of a DPO.

However, is this justified or a high risk strategy?

In our view, organisations need to take a risk averse approach, otherwise they risk breaching the GDPR and the Data Protection Act 2018.

Take our DPO Self-Assessment

Taking a risk averse approach

The Information Commissioners Office (ICO) explains what is meant by ‘large scale’ and ‘regular’ in this link.

In our view the explanation provided remains ambiguous, even the example given isn’t really offering too much clarity. That said, if your organisation is processing special data categories on any scale at all we would suggest the legal requirement is ‘likely’ to be that you need to formally appoint a Data Protection Officer (DPO).

Even if you prefer to argue the point, you probably have a ‘best practice’ requirement to appoint a DPO. For example, many legal interpretations of the Data Protection Act 2018 suggest that any processing of health related personal data requires the appointment of a DPO.

What it the impact of this?

We think this is significant for obvious reasons. For example, the following types of organisations need to engage a DPO as a matter of urgency:

  • Any public authority
  • Schools
  • Colleges
  • Universities
  • Any organisation providing children’s after school services (i.e. sports clubs)
  • Childcare Providers
  • GP Practices
  • Dentists
  • Opticians
  • Chiropractors
  • Chiropodists
  • Social Care Providers
  • Care Homes
  • IT Support Organisations (Especially those servicing any business on this list)

The above list is not exhaustive, there are many more types of organisations that would be considered to be included in the ‘legally required’ or ‘best practice’ list e.g. Accountancy firms.

How to engage a DPO.

Data Privacy Services offers a full DPO as a service offering, starting from only £58.00 + vat per month with six different levels of services available.