Being GDPR Compliant in the UK - 2021
How to keep data flowing in 2021 and remain GDPR compliant, once the UK transition period ends with the EU
In May 2018 EU GDPR came into force protecting all European citizens wherever they are located.
As an organisation, if you hold personal and sensitive information you will be very aware of your GDPR obligations and the importance of assuring your clients that you take seriously, the protection of their information.
And, whether you are the Controller or Processor (or both), understanding the directional flow of the information you hold is more important now than ever before in these turbulent times.
With effect from 11pm on New Year’s Eve 2020, the transition period ends, and the UK leaves the EU.
UK GDPR will replace the existing EU GDPR. At this stage, the UK GDPR simply reflects the amendments required to work in the UK only context, and the EU GDPR remains unchanged in the EEA.
The ICO will remain the UK’s independent regulator for data protection law and will continue to co-operate with EU counterparts.
So, what does this mean for UK organisations?
Consider the information flowing in your organisation …...
Is any data personal or sensitive?
Do you have any cloud hosted business applications, where is the cloud?
Does information flow in or out of the UK?
If all your information remains in the UK as a bare minimum you will need to review your Privacy Notice and Policies, updating references to EU law, replacing with ‘Union law’ or reference UK GDPR, where applicable. However, it may be of interest to you to keep reading.
If your information transfers between UK and EEA or non-EEA countries, continue reading.
Whilst part of the EEA (European Economic Area) information can flow freely between the EEA member states.
However, information flowing outside the EEA to ‘Third Countries’ is known as International Transfer and cannot flow freely, no matter the size of transfer or frequency. The GDPR restricts personal information leaving the EEA, unless the rights of the individual’s personal information is protected and appropriate safeguards are implemented known as ‘restricted transfer’, and as with most things there are some exceptions to this.
There are a number of countries such as Isle of Man or New Zealand whereby the EU assesses the country’s local data protection laws and then decides on whether to grant the country ‘Adequacy’. If adequacy is granted the data can leave the EEA without implementing alternative appropriate safeguards.
EEA Countries transferring data to UK
As the UK leaves the EU, the UK becomes a ‘Third Country’ and a new relationship with EEA countries is to be agreed.
The UK is seeking an ‘Adequacy Decision’ from the EU Commission, however, a decision has still to be confirmed.
If the UK doesn’t receive an adequacy decision the EU country sending the personal data through to the UK will need to consider appropriate safeguards such as: -
SCC’s (Standard Contractual Clauses) – They are contractual terms approved by the European Commission as being sufficient to place obligations on the data exporter and the data importer and protect the rights of the individuals whose personal data is being transferred. There are 2 types of clauses depending upon the agreement being between a controller and controller or controller and processor. If you are unsure of which set of clauses to use, the ICO has an interactive guidance tool to assist you. If a sub-processor is used, they too will need to sign SCC’s
A modernised set of SCCs which are more flexible is in consultation until 21st December 2020 whereby the EDPB (European Data Protection Board) will issue an opinion on these.
BCRs (Binding Corporate Rules) typically are used by larger organisations
UK transferring data to Non-EEA Countries
UK government has confirmed, UK organisations will be able to rely on the same mechanisms as under the EU GDPR.
The countries with adequacy decisions in place with the EEA will continue with the UK also.
The UK will adopt the EU SCC’s and exceptions until further notice
Going forward the UK will be able to make its own new adequacy decisions.
The US Privacy Shield is no longer valid following the SCHREMs II Judgement in July 2020 and the current advice is, risk assessments should be conducted and SCC’s must be relied upon for the time being and an alternative transfer mechanism will be identified for UK /USA transfer in line with UK GDPR guidance.
UK transferring data to EEA Countries
Data transferred from the UK to the EEA will be permitted.
The government confirmed, since the UK has been working to EU regulation a provisional adequacy decision for EEA countries has been approved and will keep the decision under review.
EU GDPR requires the following considerations
If you are a UK based company trading (goods or services) with individuals in the EEA or monitoring behaviour of individuals in the EEA and you don’t have an office (branches or establishments) in one of the EEA member states, EU GDPR requires you to appoint a European Representative. If required, they will perform several functions on your behalf. Documentation would need to include them as the contact point for EEA clients.
Controllers or processors outside of the UK would need a UK representative
EEA Supervisory Authority
EU GDPR offers its members ‘cross border processing’ - so this means where a UK organisation has customer bases in several EEA states, the state with the largest customer base would act as the Lead Supervisory Authority on behalf of the other member states. This also means that actions could be taken by both the ICO and the Lead Supervisory Authority.
Where do you go from here?
If you send data to EEA countries it will be sent under the new UK rules
If you receive data from the EEA countries, you may need to assist with the data flow.
If you target customers or operate in the EEA both UK & EU GDPR apply
Take steps to….
Ensure compliance with the data protection principles
Review and update your existing documentation policies/DPIAs
Provide updated privacy information
Check your DPO requirements
The ICO provides guidance and resources regarding Data Protection at the end of the transition period and recently provided a useful table highlighting the current government’s intentions and what can be considered as safeguarding when information flows from / to the UK.
Even with access to the ICO guidance, it can be overwhelming and difficult to do well. If you feel like you could use some expert help and advice regarding your compliance, whether you want training on the basics or want to outsource your Data Protection Officer role, simply email DuLac Data or call on 0151 528 9286 to arrange a free 30 minute consultation.