Adequacy decision for EU-UK data transfers is yet to be confirmed.
It was welcome news when the EU and UK agreed to temporarily allow personal data to continue to flow from the EU to UK for the first few months of 2021, while the EU considers its UK adequacy decision.
Since then, the EU has put forward a draft adequacy decision, which the ICO notes is an “important milestone” in the process. So now we must await outcome of the EDPB’s and EU member states’ deliberations – we hope for a favourable and swift decision!
In the meantime, the ICO continues to advise organisations to be prepared in case the UK adequacy decision is not approved by the EU. In that scenario, UK organisations may need to have additional safeguards in place, such as Standard Contractual Clauses (SCC), to continue to receive personal data from organisations based in the EU.
Meeting new requirements for EU and UK Representatives
If your business does not have an office in the EU and you regularly process personal data of EU candidates, a reminder that GDPR may require you to have an EU Representative.
Your Representative would have various responsibilities, such as: overseeing rights requests from EU data subjects; communicating with EU regulators on behalf of your organisation if a complaint was raised in the EU; and holding a copy of your Record of Processing for EU inspection. With an EU Representative, you benefit from the EU GDPR’s One-Stop-Shop (which the ICO is no longer part of). This means, for example, if you experience a security breach you avoid the risk of potentially being fined by every individual EU state in which individuals have been affected.
For overseas business that do not have an office in the UK, if you regularly process personal data of UK individuals you may also need a UK representative.
Special versions of the EU and UK Representative services provided by Reed Smith’s datarologie team have been tailored for ComplyGDPR clients. With competitive options for our micro and small business clients.
What data protection regulations apply now the Brexit transition period has ended?
- The UK GDPR took effect from 1st January 2021. (At this stage, it is fundamentally a carbon copy of the EU GDPR at 31st December 2021, but it may diverge over time.)
- The Data Protection Act (DPA) 2018 still applies. This regulation sits alongside the UK GDPR and also contains special conditions for certain aspects of the UK’s version of GDPR.
- Privacy and Electronic Communications Regulations (PECR) still applies. This is pertinent for electronic marketing activities (email /phone/text) and website cookies rules.
Reminder: for UK based organisations, the UK GDPR applies to ALL personal data you process. That means you should extend the protection and individual rights provided by UK GDPR to all your data subjects, regardless of where they are located.
- Get straight with the new rules if your organisation has cross-border activities between the UK and EU or between multiple countries within the EEA.
- Assess whether you may need to appoint an EU representative or a UK representative. If so, publish their details on your website privacy notice.
- Some of your GDPR records may need to be updated. For example, descriptions of data transfers to the EU or third countries – check your privacy policy, record of processing, DPIAs. Also check your data breach notification process or subjects rights requests handling process is up to date.
How can we help?
- How can we help?
- If you are unsure whether you need an EU or UK Representative, ask for our joint ComplyGDPR/datarologies/ReedSmith brochure, which includes a flow chart to help.
For a copy of our latest post-Brexit checklist, contact our helpline.
