This page was last updated 1 March 2021
There are a number of practical steps that organisations (both controllers and processors) should consider taking in relation to data protection compliance. These steps must be considered carefully on a case-by-case basis and we would be pleased to discuss any aspect of this guide with you in more detail.
What will happen to GDPR?
The General Data Protection Regulation (GDPR) is an EU Regulation and, after the end of the transition period, no longer directly applies in the UK. However, the Government has introduced legislation, in the form of the EU (Withdrawal) Act 2018 and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which will, in effect, preserve the GDPR in UK law, albeit with amendments for the UK context. This separate law has been called 'UK GDPR' to differentiate it from the existing GDPR. UK based organisations that also have an establishment in the EEA, or that process the personal data of individuals based in the EEA, will need to continue to comply with the actual GDPR, as it has extra-territorial effect in certain circumstances.
Further, under the terms of the EU/UK Withdrawal Agreement (WA), if no adequacy decision is granted in favour of the UK's data protection regime, Article 71 of the WA will govern the processing of so-called 'legacy personal data'. This is data of non-EEA individuals that was processed by a UK controller before 31 December 2020 – such data must continue to be processed in compliance with the actual GDPR, but as it stands on 31 December 2020. We discuss the implications of Article 71 WA in more detail here.
Accordingly, organisations that do business in the UK and the EEA will need to navigate and comply with two regulatory regimes, 'UK GDPR' and the actual GDPR (and potentially a third where Article 71 WA applies, i.e., actual GDPR as at 31 December 2020). These regimes will approach data protection from a similar set of principles and objectives and, in many areas, no separate action will be required. However, there may be divergences that will need to be taken into account, particularly as time passes, and there are a number of important issues to consider, such as in relation to flows of personal data. Organisations may also find that they are at risk of enforcement actions or complaints in several jurisdictions across the EEA and/or the UK (either by regulatory authorities or by individuals) arising out of the same incident.
Transfer of personal data
The free flow of personal data between the EEA and the UK is an issue of critical importance for most organisations.
The Trade and Co-operation Agreement between the UK and EU provides for a four month bridging period (which may be extended to six months) for the EU Commission to consider its assessment of whether the UK's data protection regime is adequate. The effect of the bridging mechanism is that, during that period, the UK will not be treated as a third country for the purposes of data transfers from the EEA, provided that it does not modify its data protection law (the 'UK GDPR') or exercise certain powers in relation to international transfers, unless by mutual agreement. If the EU objects to any changes or exercise of certain powers, and the UK goes ahead to make them, the bridging mechanism will come to an end.
During this period, data transfers from the EEA to the UK can therefore continue without further safeguards being necessary. The EU Commission has issued draft decisions to the effect that the UK's post-Brexit data protection regime is adequate, but there is still some way to go before the decisions are given final approval. Accordingly, to prepare for the risk of the UK not being granted an adequacy decision, you should be aware of your international flows of personal data: what personal data you have and where you hold it, as well as where you are transferring it to and from. You can then decide upon the appropriate mechanism for your personal data transfer flows, should this be necessary. Note, that where a customer passes their own personal data to the organisation, this will normally not be said to be a data transfer, and so these issues will not need to be considered.
In summary, the position for data transfers at the end of the transition period is as follows:
Transfers of personal data from the UK to the EEA
These will be able to continue unrestricted, as now. The UK Government has said that it will continue to recognise EU data protection standards as sufficient (albeit it will keep this under review).
Transfers of personal data from the EEA to the UK
These can continue during the bridging period whilst the EU Commission assesses whether the UK should have an adequacy decision. If there is no adequacy decision in favour of the UK in place by the end of the bridging period, transfers of personal data from the EEA to the UK will only be able to occur using:
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Codes of Conduct and Certification Mechanisms
- Derogations including, for example, explicit consent of the data subject
Whilst the most obvious solution for organisations that want to transfer personal data from the EEA to the UK would have been SCCs, these do add an extra layer of complexity and cost. Further, the CJEU's decision in Schrems II has made data transfers from the EEA to non-EEA territories using SCCs particularly challenging, as we discuss here. This issue is being looked at by data protection authorities, including the UK's Information Commissioner's Office (ICO) as a matter of urgency.
Transfers of personal data from the UK to other jurisdictions
These can continue where the Commission has already adopted adequacy decisions for the relevant jurisdiction (although in due course the UK will put in place new adequacy regulations of its own). For all other countries, an appropriate safeguard must be put in place for the transfer. Transfers of personal data from the UK to the US, where many businesses will have relied upon the Privacy Shield before the Schrems II decision, will however need to be considered very carefully, in light of developing guidance. The general position is that any transfer of personal data to a jurisdiction which does not have an adequacy decision, needs to be subject to close scrutiny by the parties.
Transfers of personal data from non-EEA jurisdictions to the UK
Where the EU has made an adequacy decision in respect of a particular country, the UK is working with those countries to make specific arrangements for data transfers to continue to flow to the UK. Pending those arrangements, it will be necessary to ensure compliance with local law on the transfer of personal data. See the ICO Brexit page for more information.
Group Companies and Binding Corporate Rules (BCRs)
In relation to restricted transfers from the UK which are within a corporate group, it may be possible to rely upon BCRs. The European Data Protection Board (EDPB) has issued guidance in relation to BCRs approved by the ICO. These will require a new BCR supervisory authority lead in the EEA and revisions to the content of the BCRs. The ICO has also published guidance confirming that holders of BCRs that were authorised by the ICO will be automatically eligible for a UK BCR. They will need to produce a UK version of their BCRs by 1 January 2021, and provide this to the ICO on or before the next annual update due date. The guidance also clarifies the position for BCRs that were authorised by another lead supervisory authority and the steps that need to be taken for those to be eligible for a UK BCR.
It is important also to note that the effect of CJEU's decision in Schrems II will be to require existing BCRs also to be reassessed to ensure whether appropriate safeguards are in place in respect of the specific transfers involved, and whether supplementary measures need to be adopted.
Main establishments and 'One Stop Shop' under GDPR
Under GDPR, EEA-based organisations which carry out processing in more than one EEA state only need to deal with a single regulatory authority as their lead supervisory authority. This is known as the 'One Stop Shop' principle. It means that, for example, there would only be one fine imposed by an authority as a result of an infringement that covered a number of EEA territories, and that single fine would cover the whole EEA.
Non-EEA based organisations cannot rely upon the One Stop Shop principle. However, they may be liable for a breach of GDPR on the basis of its extra-territorial effect in certain circumstances. You should consider what cross-border processing you carry out, as this will affect the extent to which you are subject to the ICO and/or EEA supervisory authorities after the end of the transition period:
Organisations with a main establishment in the UK and establishments in the EEA: You may wish to consider whether any of your EEA establishments in the EEA could be your main establishment, in order to take advantage of the GDPR 'One Stop Shop', and avoid being at risk of regulatory action from multiple EEA regulators. Even if you are able to demonstrate that you have an EEA main establishment, however, where cross-border processing involves the EEA and the UK, you will still be subject to the ICO's jurisdiction, as well as the lead EEA regulator.
Organisations with a main establishment in the UK and no establishments elsewhere in the EEA: you will no longer be able to take advantage of the GDPR 'One Stop Shop'. As GDPR has extra-territorial effect in certain circumstances, you may have to deal with the supervisory authorities in all EEA states where data subjects are located, and whose personal data you process.
EEA and UK representatives
If you are based in the UK and do not have an establishment in the EEA, and you offer goods or services to data subjects in the EEA or monitor their behaviour, you will need to appoint a representative in the EEA, unless you can take advantage of an exception. Exceptions will need to be assessed on a case-by-case basis.
If it is appropriate for you to appoint an EEA representative, you must ensure they are based in an EEA state where at least some of the individuals whose personal data you process are located. The role of the representative is largely a passive one – it will be identified in Privacy Notices and can be sent communications from EU individuals and EU data protection supervisory authorities. The representative needs to maintain records of processing activities and co-operate with a supervisory authority if it raises any issues.
Under the 'UK GDPR', relevant organisations located outside of the UK will need to appoint a UK representative, again subject to a relevant exception applying.
Updates to privacy notices, term and conditions and other relevant documents
Your Privacy Notices and related documents such as terms and conditions for websites, and terms of business will need to be updated to take into account the various regulatory regimes that you are subject to after the end of the transition period, i.e., GDPR and/or the 'UK GDPR'. Other relevant documents such as data processing agreements and data protection impact assessments should also be reviewed.
Your updated Privacy Notices and communications with individuals will also need to: explain how you will transfer personal data to and from the EEA/UK and other jurisdictions; identify an EEA/UK representative (where one is appointed); and consider carefully the appropriate legal basis for processing personal data, as existing bases may no longer apply.
The UK GDPR will require data controllers to appoint a Data Protection Officer (DPO) by reference to the same criteria as under GDPR. In some circumstances, this can be the same person, provided they are easily accessible from both your UK and EEA establishments but you may need separate DPOs.
Digital Services Providers and Essential Services
If you are a company operating with essential services (e.g., banking, health care, energy and transport) or you are currently providing online marketplaces, online search engines or cloud computing services to those in the EU, you may will also need to consider the effect of Brexit on the Network and Information Systems Regulations. The Regulations will continue to apply in the UK after the end of the transition period. As with GDPR, digital service providers will need to consider appointing representatives in the EEA and/or UK as appropriate. The Government has issued guidance for providers operating in the EU and for non-UK providers operating in the UK.
If you would like to discuss any of the issues raised in this Client Guide, please contact a member of our Data Protection team.
Further guidance can also be found on the ICO website and in the Government guidance on data protection after 1 January 2021.