The EU-UK Trade and Cooperation Agreement (Trade Agreement) states that both the UK and EU will remain “committed to ensuring a high level of personal data protection”. It also confirms that personal data will continue to flow freely from the EU (and EEA) to the UK for a maximum of six months, until an adequacy decision has been made.
This blog will outline any changes to data protection rules and any actions businesses need to take in line with the Trade Agreement.
Will there be any changes to the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation on data protection and privacy which governs how personal data is to be processed and transferred.The GDPR will remain in UK law following Brexit and the Trade Agreement, with some minor amendments being made to ensure its functionality under UK law. The new UK GDPR will continue to be read alongside the Data Protection Act (DPA).
The adequacy decision due to be made by the EU will determine whether the UK’s data protection regime meets EU standards. If standards are deemed to be adequate there will be no further safeguards required to transfer personal data between the EU and UK. If standards are not adequate then the EU Standard Contractual Clauses (SCCs) will need to be agreed and signed between the two parties transferring the data.
SCCs act as a safeguard by ensuring the lawful and secure transfer of personal data between the EEA and third countries (non-EEA countries). SCCs are legally binding agreements containing clauses that place an obligation on third countries to protect personal data.
Is there anything I need to do as a business owner?
As a business owner you must make sure you are always handling personal information given to you by individuals correctly. Our guide on data protection outlines your obligations when handling personal information. Additionally, you should;
- determine whether you need to appoint an EU based representative, and;
- identify your Lead Supervisory Authority and determine whether or not you need to change them
When do I need an EU-based representative?
The representative will be able to act on your behalf regarding your GDPR compliance and deal with any supervisory authorities. You might need to appoint an EU-based representative if your business:
- has no offices or branches in the EEA , and
- offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA
The representative can be an individual or organisation established in the EEA and you must provide the representative with details of your data subjects and which supervisory authorities you are subject to.
Which Supervisory Authorities must I comply with?
Supervisory authorities are relevant public bodies that regulate the flow of data within their jurisdiction. In the UK the Information Commissioner’s Office (ICO) is responsible for regulating data protection. Supervisory authorities can also impose fines or penalties on businesses for breaching data protection rules.
When the UK was part of the EU, businesses benefited from the ‘one stop shop’ principle which allowed a business to have just one lead supervisory authority across the whole EEA, even when processing data in multiple jurisdictions. However, this is no longer applicable and UK businesses will now need to comply with supervisory authorities of the ICO and the domestic supervisory authority of EU member states they process data within.
The supervisory authorities you must comply with will depend on whether you have an office, branch or establishment in the EEA. The rules are as follows:
- where a UK business processes data within multiple EU member states, and has an office, branch or establishment in the EEA (as well as the UK) they will be subject to the supervisory authority of the ICO and only one member state’s authority – typically the state with the largest customer base.
- where a UK business processes data within multiple EEA member states, but does not have any offices, branches or establishments in the EEA, they will be subject to the ICO and the supervisory authority of each member state they process data from, meaning they may be liable for penalties from multiple supervisory authorities.
More information on the changes faced by businesses and the actions they may need to take can be found in our Brexit for businesses guide.