Data privacy and the countdown to Brexit – 4 tips to complete ahead of 1 January 2021

The clock is ticking and with only days left before the UK leaves the EU, there is much for businesses to think about, including where you stand with your data protection and privacy processes.

The UK’s supervisory authority for data protection and data privacy, the Information Commissioner’s Office (ICO) is urging organisations, whatever their size or type, to act now to put steps in place in readiness for 2021.

Our data protection experts outline 4 crucial steps businesses should look to take by 1 January 2021 to avoid future non-compliance and the risk of hefty fines:

Take a free self-assessment to find out if you need an EU Representative

Article 27 of the GDPR requires all organisations offering goods or services to individuals in the EU or monitoring their behaviour, and processing their personal data for those purposes, to appoint an EU representative if they do not have their own establishment in the EU.

The EU Representative serves as a contact point between your organisation, the supervisory authorities in the EU and relevant data subjects. The function of the representative is to:

  • hold your records of data processing activity
  • act on your behalf in relation to data protection matters in the EU
  • act as the first port of call for the local supervisory authorities in relation to compliance action
  • act as a portal for the receipt of requests from individual data subjects in connection with their data protection rights.

Our team led by qualified lawyers and privacy specialists can act as your organisation’s EU Representative. We can help you with holding data processing records, be a point of liaison between EU supervisory authorities and handle subject access requests.

We offer organisations a free self-assessment which can help you decide whether you need to appoint an EU representative.

Put SCC’s in place to keep international personal data transfers lawful

Note: Since this article was published, the UK and EU have reached a Brexit deal, and “the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, for no more than six months”. Read more from the Information Commissioner’s Office here about the extension.

With the UK leaving the EU, the UK will be considered a ‘third country’ by the General Data Protection Regulation (GDPR) and every EU country will be considered a ‘third country’ by the UK GDPR.

The UK Government has stated that all transfers of personal data from the UK to the EU shall remain permitted; however transfers from the EU to the UK will potentially be restricted.

A data processor in the EU will be obliged to ensure that any personal data sent to UK enjoys the same level of protection in the UK as that data would under EU GDPR.

The flow of personal data from the EU to the UK will be possible in these circumstances:

  • if the UK is given an adequacy decision by European Commission (which is currently being negotiated, but is not yet certain)
  • if appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules are in place
  • if an approved code of conduct for a particular industry sector is in place and is being followed.

The most practical way to keep data flowing from the EU to the UK is via the use of Standard Contractual Clauses (SCCs). SCCs are standard sets of contractual terms and conditions, approved by the EU Commission, which both the sender and the receiver sign up to. They include contractual obligations aimed at protecting personal data when sent to a ‘third country’ and complying with the GDPR.

They have been at the centre of discussion lately since the European Court of Justice (ECJ) invalidated the EU:US Privacy Shield scheme, in the ‘Schrems II’ case, thereby putting personal data flows between the EU and the US based solely on the Privacy Shield outside the scope of the law. Organisations transferring personal data between the EU/UK and the US now have to rely on other solutions such as SCCs.

In response to the ECJ decision, the European Commission recently published draft Implemented SCCs. Organisations which want to retain a flow of personal data from the EU to the UK after the end of this year should introduce SCCs as soon as possible. Even if you already have SCCs in place, you should review and update the text to fit the new status quo.

Multi-national groups of companies might use a different tool for international data flows, known as Binding Corporate Rules (BCRs) – a set of internal data protection rules used across the group. All BCRs need to be approved by a Lead Supervisory Authority (see step 3). If your organisation has BCRs in place and the ICO is your Supervisory Authority, from 1 January 2021 you will need to have them approved by a newly appointed Supervisory Authority under GDPR as well. As with SCCs, you will need to update the text to fit recent legislative changes.

If you need help in drafting up your SCCs or want to know if your organisation should negotiate them with their EU partners, please get in touch as our sister company, Willans LLP solicitors, can advise.

The last tool is approved codes of conduct. These can be drafted by trade associations and other representative bodies and address data protection issues that are important to their members. Unfortunately, there are no codes of conduct at the moment which have been approved by the EU Commission.

Choose your lead supervisory authority

Every organisation which falls under the scope of the GDPR is subject to a supervisory authority – an independent public authority founded by each member state to uphold information rights and privacy policy.  In the UK the supervisory authority is the Information Commissioner’s Office (ICO).

The so called “one stop shop” principle provides organisations with just one authority to report a breach, to communicate with and to be investigated by, even if they are processing personal data about individuals in a number of EU member states.

From 1 January 2021, the ICO will remain the UK’s independent authority overseeing data protection and privacy policy in respect of UK GDPR but will cease to be considered a “supervisory authority” under the EU GDPR.

UK organisations carrying out data processing with the EU after 31 December 2020 (e.g. organisations advertising and selling goods to customers in the EU) will therefore have to identify who will be their supervisory authority in respect of the EU GDPR.

If your organisation is already established within EU, the rules are clear. Nevertheless, there is now an opportunity for UK-based organisations to consider which supervisory authority they would like to be regulated by from the beginning of the 2021, or how to adapt their data processing activities to avoid having a supervisory authority in EU at all.

If you are unsure which approach will be best for your organisation please get in touch as our sister company, Willans LLP solicitors, can help you decide.

Check whether you have an EU domain name

From 1 January 2021, UK companies and individuals will no longer be eligible to hold an .eu domain as these can only be registered or held by EU citizens, EU member state residents or organisations established in the EEA.

It is recommended that you check if your business holds any .eu domains and take relevant steps accordingly.

Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.

Through its affiliation with UK law firm Willans LLP, it provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.

Contact us for all things concerning data protection.