Changes in the Data protection after UK has left the EU .
Following the UK’s departure from the European Union, these are the latest updates on how this affects GDPR and the sensitive issue of data protection.
Overview of the current situation:
- The General Data Protection Regulation (GDPR) has been retained in UK law and will continue to be read alongside the Data Protection Act 2018, but with some technical amendments to ensure it can function in UK law.
- The Information Commissioner remains the UK’s independent supervisory authority on data protection.
- The UK is now deemed a ‘third country’ by the EU and so will require an adequacy decision to continue personal data transfers from the EU/EEA. However, the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months.
- Transfers of personal data from the UK can continue as before.
- Receiving personal data from the EU/EEA.
– For the duration of the bridging mechanism, you can continue to receive personal data from the EU/EEA, but you should work with any EU/EEA organisations that transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU-to-UK personal data.
– For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs).The ICO also provides more details on what actions might be necessary and an interactive tool that allows you to build SCCs.
-11 of the 12 third countries deemed adequate by are maintaining unrestricted personal data flows with the UK.
- Transferring personal data from the UK:
– There are currently no changes to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU.
– For international data transfers from the UK to other jurisdictions, further information can be found on ICO website.
- Holding personal data of individuals based outside the UK (whether in the EEA or not) which is processed in the UK but acquired before 31 December 2020:
– Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect.
– Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
- Appointing EU-based representatives
– Some UK data controllers and processors may also need to appoint EU-based representatives if they do not have an office, branch or other establishment in the EEA but offer goods or services to individuals in the EEA or monitor the behavior of individuals in the EEA.
- Updating documentation
– Any references to EU law, UK-EU transfers and your EU representative (if you need one) will need to be updated in your privacy notices, DPIAs and other documentation.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As GDPR effect is growing day by day and a lot of companies are affected, we would like to present
ICO published the next chapter of the Anonymisation guidance draft : Anonymisation, pseudonymisation and privacy enhancing technologies guidance
How to ensure anonymisation is effective? The ICO is calling for views on its updated draft gui
A lot of companies are receiving SAR's almost every day. Not all of the SAR's are relevant and a lo