From December 31 2020 at 11 pm – “exit day” – EU law no longer applies in the UK. Well… not exactly. The “UK GDPR” will apply to personal data that your UK business processes, regardless of where you get it. The “EU GDPR” will apply to businesses in the EEA, but it will also apply to businesses outside that target services or goods to or monitor the behaviour of people in the EEA, for example through a website or app.
These parallel universes will likely intersect for many UK businesses post-exit. The good news? They will be very similar. The bad news? They’ll be more like fraternal twins than identical ones, similar but not the same, and they may diverge over time. If your brain is swimming, you’re not alone. This article will help you keep your head above water and your data flowing by listing 10 steps you should take.
Know your data
Map your data flows so you know what personal data you process, where you get it and whether you send it to other countries, for example to a partner or outsourced vendor, or by using a SaaS product hosted outside the UK or EEA. Do you receive personal data from someone based in the EEA?
All of this should already be captured in your Record of Processing Activities (ROP), but it helps to have a map to visualise the data flows.
Know your operations and confirm which law(s) apply
Using your map and ROP, find out which law(s) apply to your different processing activities and business operations. In some cases, both UK and EU GDPR will apply.
- If you are UK-based, with no contacts, customers or presence in the EEA (“UK-Only”), and you don’t receive personal data from the EEA, only UK GDPR will apply. Skip to Step 4.
- If you are UK-Only but you do receive personal data from the EEA (“UK-Only Data Importer”), EU GDPR will indirectly apply through requirements your EEA-based trading partners impose on you to ensure they satisfy EU GDPR international transfer rules. Go to Step 3.
- If you are UK-based but also have a presence in the EEA, such as a branch office, or you target goods or services to or monitor the behaviour of people in the EEA (“UK-Plus”), both UK and EU GDPR will apply. Go to Step 3.
Keep data flowing between the UK and the EEA
To keep business flowing, you’ll need to keep the data flowing. Data can flow freely between the UK and the EEA for now because we have an adequacy extension and a draft adequacy decision pending approval. Assuming we gain adequacy, there should be no interruptions. If adequacy doesn’t come through for some reason however, your EEA counterparts will have to do more work to send data your way because we’ll be deemed a third country. They’ll likely need you to sign Standard Contractual Clauses (SCCs) and help them with their international transfer risk assessments. They’ll also need you to implement more rigorous supplementary measures to ensure consistent protection (see our article on international transfers).
Keep data flowing between the UK and other countries
Meanwhile, as you trade with other countries outside the UK and the EEA, UK GDPR will continue to impose similar restrictions on you as in Step 3, with UK variations. You can transfer UK personal data freely to already “adequate” countries, plus any new ones the UK adds as of 1 January 2021. Otherwise you’ll need to use Standard Contractual Clauses (SCCS) or another transfer mechanism. The UK will draft its own SCCs in 2021 modelled after the new EU ones, but you can use the existing ones now to maintain the legality of transfers.
(If you’re transferring EEA personal data onward, make sure you use EU SCCs and follow EU GDPR for that data).
Keep your DPO or your privacy lead (and hold them close)
If you already have a DPO because it’s required, you’ll still need one, even if you’re a UK-Only business. If you’re a UK-Plus business, your current DPO can satisfy both UK and EU GDPR requirements. If you don’t have a DPO, confirm you don’t require one, and appoint one if you do. Even if you don’t need a DPO, you should still appoint a privacy lead who can stay on top of this ever-changing and complex area and keep you on track.
Identify your Lead Authority or EU representative
Skip this step if you are a UK-Only Business. If you are a UK-Plus business but you don’t have a presence in the EEA, you will need to appoint an EU Representative. If you are a UK-Plus business with a presence in the EEA involved in cross-border processing, you will need to identify your Lead Authority in the EEA. You may be subject to oversight by both the UK ICO and your Lead Authority for certain activities. If you’re a UK-Plus business without an EEA presence, you could be subject to enforcement activity by multiple data protection authorities.
Update your documentation
Review and amend your internal policies, privacy notices, training materials, workflows, data protection impact assessments, ROP, etc. to reference the appropriate laws and identify your EU Representative or Lead Authority. Make sure any operational or technological changes that arise out of your SCCs or new legal requirements are addressed in your documentation.
Update your contracts
Update your contracts to ensure they reflect the right laws and any new requirements, such as additional technical measures in your controller-processor agreements. Expect to receive updated standard terms from some of your vendors. Be sure to keep a copy for your records.
Refresh your training
Make sure your staff are aware of the new changes and how this impacts their work.
Regardless of which law applies, follow our Golden Rules
Whether you are subject to UK GDPR or EU GDPR, there is a common set of rules that will apply. We created some Golden Rules. Following them will help you comply with post-Brexit requirements. Take this short ICO quiz to find out how you’re doing so far.
Written by Abigail Dubiniecki
Privacy Specialist at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
How it works
It starts with a conversation about you. What you want and the experience you’re looking for
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
We use Workplans to map out the work to be done and when. We are responsive and transparent
Freedom to choose & change
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins