Fines could be doubled – read on to find out more…
After endless months of reporting little else but Brexit in 2019, Covid hit us early in 2020 and became almost the sole topic of the news – and understandably so. However, the ‘B-word’ is now with us once again as we have come to the end of Transition and moved fully out of the EU on 1st January 2021.
Many of us will not be huge businesses or organisations involved in substantial overseas trade and think that Brexit will mean little difference to our operations, but have you considered your data?
The EU GDPR, the much-hyped- piece of legislation that came in on 25 May 2018, and which you will have no doubt undertaken a compliance project for, no longer applies to the UK as of 01/01/2021. The good news is that all your hard work was not in vain as the UK GDPR is on its way!
The UK GDPR will effectively mirror the EU GDPR but with some re-wo
rding to make it applicable directly to the UK. Effectively little will change regarding our obligations to individuals, their rights and freedoms, and the need to protect their data. However, and this is particularly important, there will be changes if any of your data is processed in Europe (including cloud services that use European servers), or you deal with people in the European Economic Area (EEA; all EU Member states plus Iceland, Lichtenstein, and Norway).
Some good news is that the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.
However, as a sensible precaution, during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.
How will this affect data transfers? The graphic below gives you an overview
SCCs (Standard Contractual Clauses) are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR. Other safeguarding mechanisms may be used including Binding Corporate Rules and Codes of Conduct, but the SCCs will be the most common safeguard used.
The EU GDPR may still apply to you if you process the data of European citizens. For example, you sell your goods or services across the EEA. You may also need a European Representative.
You will need a European Representative…
From the ICO (ico.org.uk):
Your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.
You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
You should give details of your representative to EEA-based individuals whose personal data you are processing. This may be done by including them in your privacy notice or in the upfront information you give them when you collect their data. You must also make it easily accessible to supervisory authorities – for example by publishing it on your website.
1. You are based in the UK and sell teapots via your website. You do not have an office in Europe, but you advertise to the European market and regularly receive orders from across Europe. People order teapots and therefore send you data so that the orders can be fulfilled.
Individuals do not need to cover their data transfer by implementing SCCs as they are individuals buying directly from you. However, you now have the data of European citizens and therefore need a European Representative.
If you only sell occasionally to Europe and there is a low risk to the rights of individuals, you will not need a Representative.
2. You are a small company or organisation, your website allows people worldwide to sign up for your newsletter, and you have a consultancy contract with a German company. You will not need a Representative. However, if the consultancy work involves the transfer of personal data from Germany to the UK, the German company will have to implement SCCs to protect the data.
Well, there are several risks if you do not consider the issues and protect your data properly. The most significant is that you could face investigations, sanctions, and fines in both the UK and the EU. Any actions taken against you could effectively be DOUBLED!
Five steps to take NOW:
1. Make sure you know where your data is – conduct a mapping exercise if you haven’t already
2. Be prepared for contract variations to include SCC’s if organisations in the EEA send you data. Contact key processors or information providers to ensure they are putting mechanisms in place to protect the flow of data.
3. Appoint a European Representative if necessary
4. Update Privacy Notices and any relevant Policies to reference the UK GDPR and include details of your Representative if necessary
5. Don’t get caught out with double jeopardy! For help with these and any other data protection matters contact us immediately – email@example.com