The UK has finally left the EU, but the debates over the legal ramifications of Brexit remain as prominent as ever.
In particular, the GDPR (General Data Protection Regulation) and the way in which organisations are permitted to transfer personal data has caused plenty of headaches.
The GDPR is an EU regulation, but its requirements didn’t disappear on 1 January 2021 – not least because many organisations still work with EU-based businesses or handle EU residents’ personal data.
Indeed, EU residents’ information will always be protected by the GDPR, whether the organisation processing the data is based in the EU or not.
As such, anyone who processes EU residents’ personal data is still required to comply with the Regulation.
There’s also the DPA (Data Protection Act) 2018 and the UK GDPR – the version of the GDPR that applies to UK residents’ personal data – to contend with, plus further legal changes that will take place in the next few months.
For example, that the Free Trade Agreement only permits UK-based organisations to continue transferring personal data to the EU without restriction until 30 April 2021.
This deadline will be automatically extended until 30 June 2021 unless either party objects or an adequacy decision is reached.
So what happens after that deadline? Let’s take a look at the two possibilities below.
If an adequacy decision is reached
An adequacy decision is an EU ruling that states that a third country’s legal framework provides appropriate levels of data protection.
Countries that receive an adequacy ruling are permitted to transfer personal data into and out of the EEA (EU member states, plus Iceland, Liechtenstein and Norway) freely.
This is the best-case scenario for UK-based organisations, because it requires no extra work on their behalf.
Unfortunately, the adequacy decisions typically takes up to two years – and the EU couldn’t begin its consideration until exit day.
It’s possible that the ruling will be expedited, particularly given that the UK’s data protection framework is based on the EU GDPR and is in theory easily comparable, but it remains unlikely.
If an adequacy decision isn’t reached
If an adequacy decision isn’t made by June 2021, UK organisations will need to adopt one of the appropriate safeguards for data transfers listed in the GDPR.
In most cases, this will mean creating SCCs (standard contractual clauses) or BCRs (binding corporate rules).
SCCs are suitable when organisations are sharing data with non-EU-based organisations in a straightforward manner.
That’s because they only apply to data processing activities that are set out in writing, meaning new contracts have to be drafted every time personal data processing activities change.
The European Commission has so far issued two sets of SCCs for data transfers between data controllers, and one set for data transfers between data controllers and data processors.
Meanwhile, BCRs (binding corporate rules) are internal guidelines that are legally enforceable by every member of a corporate group.
However, the rules only apply to that group. As such, while they may be useful for intracompany transfers, they don’t help when data needs to be transferred between different entities.
It’s also worth noting that the UK’s data protection authority, the ICO (Information Commissioner’s Office), will no longer be a GDPR supervisory body after the transition period, so its BCRs will no longer be valid.
UK organisations will therefore have to use BCRs approved by a supervisory authority in the remaining 27 EU member states.
Looking for helping creating SCCs and BCRs?
With GRCI Law’s GDPR Contract and Legal Services, you can receive expert guidance at the click of button.
Our team of qualified lawyers has extensive experience working in data protection law, including writing contracts, enabling GDPR compliance and dealing with the supervisory authorities.
EU and UK representative requirements
No matter what happens with the UK’s data transfer rules, organisations that process data into and out of the EU must appoint a representative to oversee their practices.
Article 27 of the GDPR states that, with the exception of public bodies, data controllers that aren’t based in a member state and that regularly process EU residents’ personal data must establish an EU representative.
Because the UK is no longer an EU member state, organisations based in the country must appoint a representative if they monitor the behaviour of, or provide goods or service to, EU residents.
Likewise, EU-based organisations need a UK representative if they do the same to UK residents.
EU and UK representatives are responsible for serving as the point of contact between the organisation, relevant supervisory authorities and data subjects. They are tasked with:
- Responding to any queries the supervisory authorities or data subjects have concerning data processing;
- Maintaining records of the organisation’s data processing activities; and
- Making data processing records accessible to the ICO.
Our team of lawyers, barristers and solicitors will act as your representative, working remotely to fulfil your needs.