Now the UK has left the EU a number of changes have been put in place to regulate the transfer of personal data.
If you are a business or an organisation which transfers or receives personal data to and from countries in the EEA, or you operate in the EEA, there are changes to the Data Protection Act you need to be aware of.
In a world where data has become increasingly valuable, it is more important than ever to protect individuals’ rights to data privacy. Since GDPR came into force there have been a number of high-profile cases of tech giants exploiting the use of consumers’ data and falling foul of some eye-watering fines. Google were fined a whopping 50 million Euros in March 2020 for not providing enough information to users on how their personal data would be processed.
If you are a business that is handling consumer data, it is imperative to make sure you are in full possession of the facts and are complying to the changing laws regulating the data privacy rules now that the UK has left the EU.
What is personal data?
Personal data includes any information relating to an identified natural person. Such as name, number, location, bank details, biometrics, religion, IP addresses etc.
What do I need to know about transferring data in the UK, and from the UK to the EU?
Now the UK is no longer part of the EU, the EU GDPR does not apply to UK organisations, however businesses still need to meet the EU data security regulations if they operate in or conduct business with clients who are in the EU. If your business or organisation only operates in the UK, you need to comply with UK data protection laws.
As GDPR was the basis for the UK GDPR legislation there is little change to its principles. The UK GDPR is part of the Data Protection Act 2018 (DPA), and the PECR (Privacy and Electronic Communications Regulations), which form the main personal data protection legislation in the UK.
Currently, there are no changes to the way you transfer data from the UK to the EEA, including Gibraltar. However, there is always a possibility legislation can change – we recommend you keep up to date on any changes via the ICO website.
Rules on receiving personal data from the EU/EEA into the UK:
Presently, there is a bridging mechanism in place which allows the continued free flow of personal data from the EU/EEA to the UK whilst we await on an adequacy decision from the European Commission. “The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary.” (ICO) After the decision is made, the UK will then be required to continue to meet the EU regulations around data security (GDPR), which will be reviewed every 4 years by the Commission.
“Ensuring free and safe flow of personal data is crucial for businesses and citizens on both sides of the Channel. The UK has left the EU, but not the European privacy family. At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development of the UK system after the adequacy would be granted.”
- Věra Jourová, Vice-President for Values and Transparency
The bridging mechanism expires on 30 June 2021.
What do I need to do?
- If you operate in or conduct business with clients inside the EU you will need to appoint an EU representative for data protection purposes. For further information please refer to the ICO’s guidelines on EU representatives.
- You will need to update your documentation relating to data privacy including privacy notices, data processing addenda and similar contractual arrangements, and any internal policies and records.
- Address any new ‘restricted transfers’. Any transfers of personal data outside the protection of the UK GDPR to a country outside the UK is referred to as a restricted transfer. Before any transfers take place, you will need to know if it will be covered by an ‘adequacy decision’ and if not, you can cover it with ‘appropriate safeguards’ or any one of the exceptions listed in Article 49 of the GDPR.
For further information visit the Information Commissioner’s Office.