The Brexit transition clock ends at 11pm UK time on the 31st of December 2020 and all UK organisations that transfer data to or from the EU will need to have taken appropriate steps before then to prepare for the post-Brexit landscape.
The UK will become a 3rd country for the purposes of the EU GDPR from 1st January 2021. The GDPR will be incorporated into our legal system as the “UK GDPR”. The Data Protection Act 2018 will continue to apply in the UK as it does now, but will reference the UK rather than EU GDPR.
What will your business need to do?
Update contracts and privacy policies to reference UK rather than EU GDPR as appropriate. Depending on whether you will be processing EU resident data, UK resident data or both, state which law will apply to each data subject group, as the different legislation types are likely to diverge over time.
Understanding your data flows will assist with determining if your current transfers can continue post Brexit or if additional safeguards will need to be implemented. You will need to:
Conduct a case-by-case analysis of each of your transfers to assess if ‘adequate protection’ is being provided within the legal framework of the receiver’s country or jurisdiction. Supplementary measures may be required.
Data Protection Impact Assessments (DPIAs) are a mechanism that enable you to identify the data protection risks associated with specific processing activities, including cross boarder personal data transfers, especially where those activities involve ‘sensitive’ personal data. You must:
Update your Records of Processing Activities (RoPA) to articulate this information. Therefore, if any of your processing will be changing as a result of Brexit, updates will be required.
If you have nominated the UK ICO as your lead authority under the One Stop Shop then this needs to be reviewed. You will have to:
Identify one of your alternative establishments situated within the EU and nominate that member, if applicable
If you provide goods or services to the EU and monitor the behaviour of EU Residents, you may need to:
Appoint an EU Representative as required by EU GDPR Article 27. The same applies in reverse if you are an EU organisation under UK GDPR.
If this sounds like it’s going to create extra work for your business, you’d be right! And with limited time until the transition period comes to end, you don’t have much time to get your business Brexit ready from a data protection perspective. Fortunately, nexa law’s Data Protection Team is available to support you both plan and implement your data protection transition.
For more information please contact Ruby Ladak using firstname.lastname@example.org