The Trade Deal, Data Protection, and the end of the Transition Period

The Trade Deal, Data Protection, and the end of the Transition Period

I blogged previously on changes to data protection at the end of the transition period – 11 pm on 31 December 2020.

I advised UK organisations who received personal data from Europe that any transfers of personal data to them from 1 January could only occur if the European GDPR allowed it.  I advised organisations to look at entering in to ‘Standard Contractual Clauses’ with organisations in Europe who they rely upon to send personal data to the UK.

That advice needs to be revised as on Christmas Eve the UK reached a Trade and Cooperation agreement with the EU. Part of the agreement related to the continued flow of personal data from  Europe to the UK.

The deal will be welcomed but it has not permanently resolved the issue of how personal data can lawfully flow from Europe to the UK- it just kicks the can down the road for a period of four (possibly six) months.   During that period the EU has agreed that personal data can be sent to the UK as before.  In return, the UK is not allowed to exercise certain powers that it would have been able to exercise such as to recognise other countries as having adequate data protection or to issue its own version of the above Standard Contractual Clauses [SCC’s].

The UK is still hoping to secure a finding of ‘adequacy’ from the EU.   This is a formal recognition that the UK’s data protection regime meets the standards required by Europe. Securing such a finding at all, never mind within the next few months, is not guaranteed.  As before organisations may wish for certainty and speak to those who they have relationships within Europe about entering into SCC’s to ensure that personal data can continue to be sent to the UK after the end of the above extension period.

So, what is the law now?

When the transition period ends the European version of the GDPR will be retained into UK law but will be immediately amended.  What results will be known as the UK GDPR.  There will also be changes made to the UK’s Data Protection Act of 2018.  This Act supplements the GDPR.  Organisations will need to comply with both of these laws when processing personal data as well as others such as the 2003 privacy regulations that deal with, amongst other issues,  ‘cookies’ and marketing by electronic means.

What about sending personal data out of the UK?

UK legislation sets out how personal data can be lawfully sent out of the UK.

It can be sent to Europe (except Switzerland) as before.

It can also be freely sent to all of the countries that the EU previously deemed to have adequate data protection regimes. These are Andorra, Argentina, Canada (commercial organisations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, New Zealand, Switzerland, and Uruguay.   As regards sending personal data to the UK many of these countries have already made declarations that regardless of the end of the transition period they will still send personal data as before.

The UK has also recognised the use of the current EC approved SCC’s as an appropriate safeguard if sending personal data out of the UK [disregard Europe and the countries listed above] or, for larger organisations who have a number of companies within a group, the use of what are known as Binding Corporate Rules.

Has the European GDPR gone for good?

No – UK organisations who offer goods/ services to individuals in Europe (or monitor them) must still comply with the European GDPR and, as such, may need to appoint an EU Data Protection Representative.

What about the UK GDPR?

Organisations outside the UK who offer goods/services to individuals in the UK (or monitor them) need to comply with the UK GDPR and may need to appoint a UK Data Protection Representative.

Do I need a UK GDPR Representative?

Do I need a UK GDPR Representative?

When GDPR came into force in 2018, it caused a flurry of activity within companies all around the world, all trying to work out what they could and couldn’t do with data they’d been collecting for years.

It seemed it was website owners that were most concerned, and people have got used to having to click buttons to say that they’re happy for sites to collect their data.

However, for some companies, especially outside the EU, it’s all a bit too much for them to be bothered with and so if they detect a user from Europe, they’ll simply stop them viewing the site.

That’s OK if you’re a small news station in Texas, but what if you have to deal with people in Europe? And what if you deal with people in the UK and still want to after Brexit?

The world is flat

The Internet has succeeded in democratising information and making it available to absolutely anybody who has a connection. So if you own a website that offers goods or services to people, you might need to consider where those users come from.

Also, if you’re in the business of dealing with people in the EU or Britain, then you’re going to have to abide by the rules of GDPR.

According to the ICO – the body in charge of overseeing data protection and enforcing GDPR in the UK:

The UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”

For those readers not up to date with the political goings-on in the UK, the “transition period” is where the UK is not part of the European Union anymore, but still abides by its rules until such time as a deal is worked out. If ever a deal does get worked out.

When the UK does eventually leave, most of the laws will simply be transferred across to UK law anyway.

However, in essence, even though we’ll have the same basic rules as the EU, we’ll be a “third country”, and therefore it’s up to the EU to decide whether we have an “adequate level of data protection.”

The UK government is currently seeking an adequacy decision from the EU.

If it comes to fruition, then data will be allowed to pass freely between the EU and the UK.

So what happens next?

Whatever the EU decides with regards the UK’s adequacy, if you’re a business that sells goods and services to people in the UK, or you monitor the behaviour of people in the UK, and you don’t have an office in the UK, you’ll need to appoint a representative.

This could be an individual or an agency working on your behalf, but you will need to give them written consent to work for you in matters relating to data protection.

Of course, if you’re dealing with people in the UK, you’ll likely be dealing with Europe, too, so it’s worth seeking out a representative that can help with both sides.

A good representative can smooth over the bumps

Given the new rules, Brexit and the general concern about people’s data and how it can be accessed, it might seem an impossible task to have to deal with the UK given the rules, but it need not be.

A good GDPR representative can make everything go smoothly, helping you to reach into markets that can boost your sales and profitability.

So, if you think you might want to offer your goods or services into the UK and want to do it easily, and with the minimum of fuss, contact us today.