At the end of the transition period, the GDPR will become part of a new body of retained EU law. In addition, some further legislation is proposed which will take effect at the end of the transition period and effectively alter parts of the GDPR so that it makes sense when applied with the Data Protection Act 2018.
The good news is therefore that all the time and money businesses spent back in 2018 in becoming GDPR compliant has not been wasted.
The less positive news however is that data flows outside of the UK become more problematic than currently as the UK will be a ‘third country’ for the purposes of the data protection rules.
What is the problem?
Well, put simply, the GDPR allows unrestricted personal data flows between those states which have adopted the GDPR. The problem arises for the UK as it will no longer be a part of the club.
The GDPR sees these transfers as restricted and provides that data can only be transferred where there is a compliant safeguarding mechanism.
Examples of such mechanisms are:
- An adequacy decision being made (essentially, the EU confirming that it considers the country to be a safe destination for personal data under the GDPR);
- Standard contractual clauses (SCCs) which place obligations on the recipient of personal data to keep it same (amongst other things); and
- Binding corporate rules (complex mechanism which could provide a solution for some corporate groups but would need a longer period to implement).
Unless the EU approves an adequacy decision for the UK, the most likely to be used is the SCCs. The ICO has recently published an online tool for using SCCs which is free and available to anyone.
UK Data Flows to the EEA
The amended UK data protection legislation provides that transfers from the UK to the EU can continue without additional protections being put in place, as EU countries will be deemed by the UK to have an adequate level of data protection. Whilst the government will keep this under review, this sounds like good news for these sorts of transfers as they appear to be largely unaffected.
EU Data flows to the UK
There is a potential difficulty with transfers from EU processors to the UK as no standard contractual clauses are available for this type of transfer. However, the draft new SCCs published in November 2020 do include an option for transfers from processors which would address this issue.
UK Data flows to non-EU Countries
At the end of the transition period, some new elements will be introduced into the Data Protection Act 2018.
One of these new elements will allow the Secretary of State to make adequacy decisions to allow transfers to non-EU countries. Whilst this isn’t necessarily helpful in terms of territories which do not yet have such status, any decisions already been made by the EU will be incorporated into the legislation. So, at least we won’t be starting from the beginning.
The ICO will also have permission to issue new SCCs where there are none available.
What should businesses do now?
Some key practical areas to consider are:
- Which regimes apply? Organisations should consider which personal data is covered by the UK GDPR and DPA 2018 and which the EU GDPR. Consider whether it is a good time for a general audit or compliance review.
- International transfers. Organisations should review data flows from the EU to the UK in particular, and how these will comply with the GDPR after the end of the transition period if there is no adequacy finding in place.
- Privacy notices. Organisations may need to make consequential changes to their privacy notices.
- Rights of data subjects. Organisations will need to ensure that they remain in compliance with the rights of data subjects.
- Documentation and contracts. Contracts and records of processing activity should be reviewed and amended where required.