The UK Parliament finally ratified the withdrawal agreement, and the UK left the EU at 11 p.m. GMT on 31 January 2020. As we approach the end of the year and the official departure from the EU there are still plenty of questions about how businesses can transfer personal data to and from EU member states.
At the time of writing the UK Government is still seeking an adequacy decision that, if approved, would mean businesses could continue with almost no disruption. A positive decision will maintain the continued free flow of personal data between the European Union and the United Kingdom.
However, despite two years of negotiating, no decision has been made yet. So it is still unclear if we will get the European Commission’s decision by 31 December.
The situation was made even more complicated when earlier this year, the European Court of Justice invalidated the EU–US Privacy Shield. They ruled that it fails to protect people’s rights to privacy and data protection.
It would seem that major changes are on the way, and the Information Commissioner’s Office, which oversees data protection and data privacy in the UK, is advising businesses to act now.
So here are three things your business need to do before the end of the year.
Do you have a lawful basis for data transfers?
Currently, personal data can be transferred freely between the UK and the EU. However, when the transition period ends businesses will establish a new lawful basis.
If we don't receive an adequacy decision before the end of the year business must use standard contractual clauses (SCCs) or binding corporate rules (BCRs).
BCRs apply strictly to multinationals, helping them make intra-company transfers of personal data across the EU.
SCCs are more widely applicable. They are legal contracts that outline the terms and conditions for data transfers and are designed for businesses that participate in two-way data sharing and straightforward internal personal data transfers.
When using SCCs, businesses and regulators must conduct case-by-case analyses to determine whether protections concerning government access to data meet EU standards.
Do you need an EU representative?
The GDPR states that, except for public bodies, data controllers that aren’t based in a member state and that regularly process EU residents’ personal data must establish an EU representative.
As the name suggests, an EU representative is someone based in the EU who works on behalf of a business in a third country, in our case that will be the UK after December 31st.
For the UK, this will primarily involve serving as the point of contact between the business, the supervisory authorities and data subjects.
This can be done by:
- Responding to any queries the supervisory authorities or data subjects have concerning data processing.
- Maintaining records of the company's data processing activities.
- Making data processing records accessible to the ICO.
Keep up to date with the latest information and guidance
If you are a UK business that receives data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
UK is committed to maintaining the high standards of the GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 at the end of the transition period. UK businesses will be covered by the UK data protection regime.
The UK government has stated that transfers to the EEA will not be restricted. So if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.
If a business in the EEA is sending you personal data, then it will still need to comply with EU data protection laws. You will need to take action with them so the data can continue to flow.
For most businesses, the SCCs we mentioned earlier are the best way to keep data flowing to the UK.
Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
If your business has European based customers you should follow these additional steps.
January 1st 2020 and the exit of the UK from the European Union is less than a month away. Despite being so close there are still so many unanswered questions. There still is confusion around data transfer and what steps we may have to take to stay compliant.
As of the time of writing this information is correct but we recommend checking with the ICO to stay up to date as new decisions are made. For further help with staying compliant with your data talk to us today. You can contact us here, email firstname.lastname@example.org, or call us on 01634 52 52 52.