You may have to take action if your business is responsible for transferring information about people (personal data) from the EU into the UK. For example, customer transactions or using a cloud service based in the EU.
The primary source for information about how Brexit impacts data protection is the Information Commissioner’s Office (ICO) website. They have a webpage about Brexit that is dedicated to small to medium-sized businesses. These are some of the key points a business should consider.
- The General Data Protection Regulation will be incorporated into UK law becoming the UK GDPR. It will continue to work alongside the UK’s Data Protection Act 2018. This means that day-to-day activities to ensure compliance with data protection law are unlikely to change very much.
- The UK government has stated that transfers to the EU, specifically the EEA (European Economic Area), will not be restricted. So, if you send data from the UK to the EEA you will still be able to do so and you do not need to take any additional steps.
- For data being transferred from the EU to the UK, the UK is awaiting an adequacy decision from the EU. The EU has to make the decision that UK data protection law protects personal data to the same level as European data protection law (the EU GDPR). With the UK adopting GDPR, it is likely that it will be deemed adequate but unfortunately this takes time. If the UK receives this adequacy decision then data can transfer from the EU without the extra measures (‘safeguards’) that are required.
- Whilst awaiting the likely adequacy decision, transfers of personal data from the EU can still occur for 6 months commencing 1st January 2021. If an adequacy decision has not been reached by the end of this period then extra safeguards need to be implemented by the parties involved. Large global organisations, such as Microsoft, will have implemented these safeguards. The foremost of which is to add data protection clauses into their contracts with customers. These are called Standard Contractual Clauses (SCC) and the ICO provides an interactive tool to help businesses decide if these are required.
Remember that data protection is all about protecting individuals from any potential harm that a misuse of their information might cause. You should keep data secure and let people know how you use it. If you do this then the risks of any harm to your organisation or the individual will be much lower, whether the data is in the UK or any other country. To help with these activities the ICO provide guidance on creating a privacy notice and keeping data secure.
Be aware that data protection law deems special category data, such as health, to be potentially be more harmful if misused. Make the security of this data your priority.
This blog was written by Alan Martin, a freelance expert based in East Kent with 15 years’ experience of data protection compliance. For more information, visit http://dataprotectionadviceltd.co.uk/