As of 1 January 2021, there are significant changes to the General Data Protection Regulation (GDPR) in the UK and the UK version of the GDPR has come into force (UK GDPR) taking into account the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (EU Exit Regulations) and the Data Protection Act 2018.
The EU-UK Trade & Co-operation Agreement (TCA) agreed on 24 December 2020 also provides that both the UK and the EU remain "committed to ensuring a high level of personal data protection".
Transfers of personal data
The GDPR provides that personal data cannot be processed outside the EEA unless adequate safeguards are in place. As the UK has left the EU it is now treated as a "third country" and so is seeking an adequacy decision so personal data can be processed in the UK.
The TCA makes no reference to whether or not the EU considers the UK’s data protection regime to be “adequate”. It does however, provide for an "interim period" under which it confirms that it is lawful to transfer personal data from the EU to the UK. During this interim period, data transfers will be treated in the same way as they were previously during the transition period.
The interim period lasts for four months (until 1 May 2021) but may be extended by a further two months (until 1 July 2021) in the absence of any adequacy issue being issued by the EU and where there is no objection by either the UK or the EU. It is also dependent upon the UK retaining its existing data protection laws.
In the event there is no adequacy decision in favour of the UK, transfers of personal data can still be made where other appropriate safeguards in place. Examples of these include Binding Corporate Rules (BCRs) and model Standard Contractual Clauses (SCCs). The latter now need to take account of the Schrems II ruling which requires specific considerations to each transfer.
The TCA does not address other issues to be considered in light of Brexit such as Lead Supervisory Authority and appointment of Authorised Representatives in the UK or the EU.
Actions points in light of recent changes to data protection laws
In light of the above, the end of the Brexit transition period and recent changes in the law (particularly Schrems II and the issue of new draft Standard Contractual Clauses), businesses should undertake the following:
- Consider if they need to appoint a UK or EU representative ( this is different to a DPO)
- Review if they need to change Lead Supervisory Authority
- Revisit and redraft documentation and data registers in light of the two separate regimes
- Address transfers of personal data in light of the Schrems II decision
- Think how to address transfers of personal data now given the UK is now a third country and revisit documentation such as privacy notices and data processing agreements and intragroup transfer arrangements in light of this
- Be aware that new draft SCCs are being looked at too and that new drafts are in circulation