Brexit changed a lot for businesses, especially for EU companies that do business with the UK. Trade, regulation, human resources, transport… there’s almost nothing that goes untouched by the withdrawal of the UK from the EU and its single market. Data protection is unlikely to be at the forefront of companies’ minds but there are real issues that companies, data controllers as well as processors, should dive into now that the UK is officially a third country to the EU.
Here’s what you need to know about the GDPR and Brexit if you’re an EU company
On 31 December 2020, the Brexit transition period ended and the UK officially left the European Union. Since 1 January 2021, the UK started applying the “UK GDPR”, an almost identical version of the EU GDPR. All the rights, obligations and principles of the EU GDPR mostly stay the same. So, EU companies now also have to comply with the UK GDPR if they fall within its scope.
Two of the main data protection impacts of Brexit for EU companies
1- Transfers of personal data from the EU to the UK are allowed during a new transition period
The UK’s third-country status is a significant change for EU data controllers and processors because it means that they could soon be subject to cross-border data transfer requirements. In the new trade deal, the EU agreed to allow personal data to continue to flow freely but only during a transition period that will end at the latest on 30 June 2021.
In the meantime, everyone is waiting for the European Commission to designate the UK as ‘adequate’. Countries with adequacy are those that use an EU-equivalent level of data protection. As a result, data can flow between the EU and these countries without limits or checks. At present, countries recognized as being adequate for data transfers include Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. Canada and Japan are also included, but there are limitations to data transfers to these countries. In Canada, only commercial organisations benefit. In Japan, the adequacy decision only covers private sector organisations.
Although the Commission released a draft adequacy decision regarding the UK on 19 February 2021, it still needs to obtain the European Data Protection Board (EDPB)’s (non-binding) opinion on the draft as well as the approval from the Committee of the EU Member States representatives. So nothing is settled yet and EU companies would be wise to have a plan B in place in case there is no adequacy decision.
2- EU companies that don’t have an establishment in the UK may have to appoint a UK GDPR Representative
An important thing that EU companies should bear in mind is that the new transition period only concerns data transfers. This means that the UK GDPR fully applies as from 1 January 2021 and that EU companies must comply with all of its obligations.
If you are an EU company, one of those obligations is to appoint a UK Representative if:
- You have no establishment in the UK, and
- You offer products or services to individuals located in the UK or monitor their behaviour
However, you don’t have to appoint a UK representative if:
- You are a public authority; or
- You have an establishment in the UK; or
- You process personal data only occasionally and you don’t process sensitive personal data on a large scale and your processing activities are unlikely to result in a risk to the rights and freedoms of individuals in the UK.
EU companies are generally not familiar with the obligation to appoint a data protection representative because, under the EU GDPR, this obligation only applies to non-EU companies. So, they didn’t have to appoint a UK representative before 1 January 2021 because there was no need to do so as the UK was part of the EU. It’s a new obligation because the UK is now a third country and it applies the UK GDPR – including the obligation for non-UK companies to appoint a UK data protection representative.
The UK representative is not a Data Protection Officer (DPO). Instead, the UK representative is a natural person or body within the UK who is appointed to communicate with individuals in the UK, as well as the regulator (ICO), on your behalf. (A DPO works with your company or organisation to facilitate compliance.) The UK representative must also keep a copy of your company’s record of processing activities.
Not sure if your EU company needs to appoint a UK representative? Contact us for a free assessment.
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!