Following the UK’s exit from the EU, the General Data Protection Regulations will be retained in domestic law and will be referred to as the UK GDPR. Going forward, the UK GDPR will not necessarily incorporate any changes made to the EU GDPR.
The UK is now a ‘third country’. Third countries are states that fall outside of the GDPR zone, the EEA (all EU member states plus Norway, Liechtenstein and Iceland).
The EU GDPR restricts transfers of personal data to third countries, unless personal data is protected in another way or an exception applies.
The UK Government is currently seeking an adequacy decision from the European Commission which, if granted, will allow for the free flow of personal data from the EU to the UK. At the time of writing, January 15 2020, this has not yet been granted. The UK Government has announced an agreement with the EU for personal data to flow freely from the EEA to the UK, while an adequacy decision is reached.
Most data protection rules affecting small to medium-sized businesses and organisations will remain the same. However, the Information Commissioners Office requires all business to ensure they comply with the current GDPR requirements and are encouraging all businesses to review their privacy information and documentation to identify any minor changes that may be needed now the transition period has ended.
Additional action needed by UK businesses and organisations depends on the data you hold and where that data flows to and from.
1 Transfers of personal data to the EEA
Transfers of data from the UK to the EEA are permitted and you don’t need to take any additional steps.
2 Processing of UK personal data
If you already comply with the GDPR and have no contacts or customers in the EEA, you simply need to prepare for data protection compliance as set out above.
3 Transfer of personal data from the GDPR zone to the UK
If you receive personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow.
For most businesses and organisations, incorporating the standard contractual clauses in your standard contract are the best way to keep data flowing to the UK.
4 Multi-branch businesses
If you have an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations.
If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will still need to comply with the EU GDPR in relation to these activities.
In most cases you will also need to appoint a suitable representative in the EEA to act as your local representative with individuals and data protection authorities in the EEA.
Amy Peacey is a Senior Associate in the Southampton office at Clarke Willmott LLP. She specialises in advising businesses on all matters relating to commercial contracts, including compliance with data protection legislation.