Data Protection and Brexit post-Dec 31st is a hot topic in cyber security. 2021 is now here and the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”) has been signed off. Today we look at what might happen with data protection.
Data Protection from January 2021 – what will happen?
As part of the EU, the UK was a signatory to data protection rules that covered all members states plus EEA countries. Now though, the UK is effectively a ‘third country’ without the automatic right to transfer data freely.
The UK has committed to upholding data protection standards in line with those of the EU. It is ready to continue accepting data from Europe as it did before Brexit. However, Brussels is yet to agree with this position. That means we currently have no guarantees, at least not until the European Commission confirms that the UK’s data regulation policies are robust enough.
For now, a transition period of six months has been agreed by all parties. We have until June to find a solution to suit everybody. Without an agreement at that point, UK companies seeking to transfer data to the EU would need to turn to Standard Contractual Clauses.
Top Tip – It’s all about compliance
There are some key points to consider:
- If you deal with companies in the EU and the USA, you must adhere to two regulations now instead of one
- The requirement of appointing a Data Protection Officer (DPO) increases when you are a UK company dealing with EU companies. You must now appoint an EU representative (DPO) rather than a UK representative
- Companies will need to work with lead supervisory authorities in the EU when transferring or processing data with an EU company rather than the ICO
- Policies and procedures will need to be updated and Binding Corporate Rules or (BCRs) Standard Contractual Clauses (SCCs) must also be strengthened.
Reach out to our cyber security experts for further guidance.
Data Protection and Brexit – what happens with data gathered before January 1st?
Currently, UK organisations must comply with EU data protection law. This is for personal data gathered before the end of December 2020 and which relates to those living outside the UK.
Data Protection moving forwards
A recent article published by global law firm DLA Piper lays everything out on this superbly. The salient points are as follows:
- GDPR governed UK data protection until Dec 31st 2020
- From Jan 1st 2021, a UK version of GDPR is in place
- This applies as an independent law with much of the GDPR legislation still adopted
- The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (‘EU Exit Regulations’) applies changes to the GDPR
- These changes make it relevant to the UK (references to cross-border data transfers with other Member States are removed, for example)
- Both the Data Protection Act 2018 and The Privacy and Electronic Communications (EC Directive) Regulations 2003 remain in place but are also amended
- The EU Exit Regulations will allow UK organisations to continue sending personal data to EEA organisations in the interim
- UK organisations can also still rely on the 13 existing adequacy decisions adopted by the EU, allowing data transfers to countries previously listed as adequate
- Neither SCCs nor transfer impact assessments for data transfers will be required for the next 6 months
Conclusion
Brexit was always going to bring about a lot of change. Some of the changes will be for the better. Some will invariably not be. For data protection, there is the need to adapt. If you are fully compliant now, there will be less for you to do. Developments over the next 6 months are going to be crucial.
We will update this page as and when more details emerge.
CRIBB Cyber Security is an official certification body. We also specialise in data protection and governance. Our full range of services includes a GDPR Review service. Our qualified and approved consultants will detail precisely what you must do to comply with GDPR and all other Data Protection regulations.
Together with ICE and eTestware, we make up theICEway ecosystem.