Watching the EU Exit deal formation with a keen eye for changes to Data Protection legislation – when the deal was finally announced there was some good news for small businesses with regards to compliance. As most of you will know the General Data Protection Regulations came into UK law on 25th May 2018.
The EU Exit deal that was finally announced means from 1 January 2020, the UK GDPR took over from the EU GDPR with respect to personal data use in the UK. The deal is that for a period of at least four months (and extendable to six months), restrictions on the transfer of personal data from Europe to the UK have been delayed. During this time the UK may not change its data protection laws or exercise “designated powers” – such as approving its own standard contractual clauses – without EU approval.
The ideal scenario now is that the European Commission makes an adequacy decision about the UK’s data protection laws before the end of the four-month period. If this happens, most of the data protection rules governing SMEs will stay the same.
The UK GDPR
The GDPR is retained in UK law as it is embedded in the European Union (Withdrawal) Act 2018. Now known as the UK GDPR, it works alongside the Data Protection Act 2018 (as did the EU GDPR before it). There are some differences between the EU GDPR and the UK GDPR; however, these are predominantly contextual changes to make the law fit as a piece of domestic legislation. For example, references to a “supervisory authority” in the EU GDPR will instead be specific references to “the Commissioner” (i.e. the ICO) in the UK GDPR.
This is good news for SMEs handling personal data as the principles, rights, and obligations set out in the EU GDPR remain unchanged. In other words, if you were compliant with the GDPR before 31 December, you will be compliant under the UK GDPR.
UK organisations with no contacts or customers in the EEA
If you have no contacts or customers in the EEA (European Economic Area) and were already compliant with the GDPR, as noted above, little has changed, and there is not much that you will need to do to remain compliant with the UK GDPR.
UK businesses & organisations sending or receiving personal data to or from the EEA
As previously mentioned, the 4-month bridge in the Trade and Cooperation Agreement means that personal data flows from Europe to the UK can continue for the moment. The UK Government has also said that transfers of personal data from the UK to Europe can continue.
It is important to note that any business or organisation in Europe that sends personal data to you will need to comply with EU data protection laws. Note also that personal data acquired from overseas before the end of the Brexit transition period (known as “legacy data”) will be subject to the EU GDPR as it was on 31 December 2020 (referred to as the “frozen GDPR”).
UK businesses & organisations with an European presence or European customers
If you operate in Europe, you will need to comply with both the UK and the EU’s data protection laws. The UK data protection regime (including the UK GDPR) will apply to your UK activities and any offices, branches, or similar that you have in Europe will remain subject to EU law (including the EU GDPR).
If you are only based in the UK but offer your goods or services to individuals in Europe, or monitor their behaviour, the EU data protection regime will continue to apply to these activities. You may also need to appoint a suitable representative in the EEA.
Personal data acquired from overseas before the end of the Brexit transition period (known as “legacy data”) will be subject to the EU GDPR as it was on 31 December 2020 (referred to as the “frozen GDPR”).
UK businesses & organisations sending or receiving personal data to or from third countries
The rules around the transfer of personal data to countries outside of the Europe are also similar to the pre-31 December position. EU adequacy decisions and approved safeguards (such as standard contractual clauses) that existed at the end of the transition period continue to be recognised by the UK government.
The fact that the UK GDPR is almost exactly the same as EU GDPR means that data protection compliance for SMEs in the UK should require little additional work for the time being, save for ensuring that policies, notices, and contractual clauses are kept up-to-date.