The agreement negotiated at the 11th hour took effect on 1 January 2021.
Since the 1st January until potentially 30th June (called the interim period), there will be 2 GDPR regimes in place.
The GDPR does not apply to personal data of individuals in the UK processed since the 1st January 2021.
All the EU law we had as of 31st December 2020 was incorporated into UK law, and the GDPR is referred to as the UK GDPR, which will now apply to this data.
The European version, referred to as the EU GDPR, will apply to the personal data of individuals outside the UK (legacy data) which you either:
– had before 31st December 2020 or
– you acquire in the interim period on the basis of a piece of EU law that still applies in the UK as a result of the Withdrawal Agreement.
You need to work out which version applies to the personal data you have, as there may be minor differences. For example, any CJEU decision made during the interim period will be relevant to legacy data.
We should be able to apply the UK GDPR to all data If an adequacy decision is granted to the UK .
EEA to UK transfers: for personal data to be transferred from the EEA ( EU member states + Iceland, Liechtenstein and Norway) to a non-EEA state, which the UK is now, the data has to be protected to a standard equivalent to the EU GDPR.
Now the transition period has ended for the UK and we are fully outside the EU, we need an adequacy decision to avoid having to implement safeguards, for example, standard contractual clauses, to protect the data – we don’t have this yet.
However, as a result of the Brexit agreement, the transfer of personal data into the UK can continue without safeguards for up to six months following the end of the transition period, so ending on 30th June 2021, unless we are granted adequacy before then.
UK to EEA transfers: the UK has confirmed EEA member states provide the required level of protection of personal data so these transfers can continue.UK to non-EEA transfers: the UK has also confirmed that it will accept the adequacy decisions that the EU have made in respect of Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, and therefore transfers can continue.
Appointment of EU/UK representatives
Both GDPRs have what’s called extra-territorial effect. This means that the UK GDPR will apply to controllers and processors that are not in the UK but offer goods and services or monitor the behaviour of individuals in the UK. This means that controllers and processors need to have someone in the UK who will act on their behalf – so deal with the ICO if an issue arises.
Similarly, UK-based controllers or processors who trade in the EU or monitor individuals in the EU will need to have a representative in the EU.
One stop mechanism
The ICO no longer participates in this, so companies that operate in the EU – they process personal data that substantially affects or is likely to substantially affect individuals in the EU – need to consider which EU/EEA supervisory authority will be their lead authority.
To process personal data you need one of six lawful bases under the GDPR. Our departure from the EU means that the use of one of these bases – Legal Obligation – has changed in the two versions of the GDPR.
A legal obligation under UK law cannot be used under the EU GDPR and vice versa. Businesses will need to rely on an alternative lawful basis. This may be legitimate interests but it will depend on the proposed purpose of the processing.
A decision that the UK is adequate is not guaranteed.
The UK need two separate adequacy decisions; one in respect of transfers of data (including criminal data) to the UK under the GDPR and one for transfers under the Law Enforcement Directive (LED). The LED is relevant to authorities like police forces engaged in sharing data for law enforcement.
However, parts of the UK’s data processing regime may cause concern, for example national security processing. There may be doubts whether the UK’s regime permits the retention and transmission of bulk data for national security purposes in compliance with EU law. (see the CJEU decision: Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others (C-623/17)).
For both decisions, the same issues apply.
1. Work out data flows so you know where your data came from and goes to – this will help you establish which version of the GDPR applies to your data during the interim period.
2. Review and update privacy notices to ensure they accurately reflect how the business processes data.
3. Records of processing will need updating, for example, the lawful basis under the UK GDPR.
4. Appoint a UK and/or an EU representative if needed.
5. Update terms in contracts and templates.
6. Consider whether you need to review your data processing and undertake DPIAs and LIAs to ensure you comply with the Accountability responsibility.
7. Look at your cross border data flows and consider additional safeguards that you can put into place in the event of the UK not gaining an adequacy decision.
8. Review your lead supervisory authority if you need to and consider the practical impact of this on the business.