(September 2020) When the transition period ends and the UK’s exit from the European Union is complete, businesses with customers in Europe will need to keep on the right side of data protection legislation.
Under the European Union’s General Data Protection Regulation – or GDPR as it is known – there are strict requirements for businesses processing personally identifiable information about individuals who live within the EEA, which comprises the countries within the EU plus Iceland, Liechtenstein and Norway.
GDPR has continued to apply alongside the UK Data Protection Act 2018 during the transition period, but any UK business managing personal data relating to EEA citizens after 31st December 2020 will have to act in line with the requirements of Article 27 of the GDPR. This spells out the obligations for data controllers and processors outside the European Union and requires any organisation without a presence to appoint a personal representative.
Even though GDPR will be retained in domestic law at the end of the transition period, we will no longer be part of the EU, so if you handle data relating to citizens in the EEA and your organisation does not have an office or representation within Europe, then you will have to appoint someone to fulfil that requirement. You need a provider in the EEA who offers services as a GDPR representative to act on your behalf with individuals and data protection authorities in the EEA.
It’s most likely to affect small to medium sized businesses, as larger organisations will probably have a base somewhere in the EU. You may have gone through all the hoops to manage compliance when GDPR was introduced in 2018, but you must check the position now, to be sure you are going to be compliant from January onwards. You also need to make sure your privacy information and documentation is all up to date and reflects any changes that may be required, such as around European-based representation.
If any such breaches came to light, there is the potential of high fines from the Information Commissioner of up to Euro 10m or 2% of global revenues so it’s worth getting everything checked by a specialist.
The Information Commissioner’s Office, or ICO, is the independent supervisory body for the UK’s data protection legislation and will continue in that role post-transition. The ICO website includes guidance for data processors on managing the departure from the EU, with an interactive toolkit to help organisations understand what they need to do to maintain a free flow of data to the UK from the EU.
And the guidance highlights that it’s not just organisations who are dealing with European citizens that need to know where they stand: Post-transition, the provisions of GDPR will be incorporated directly into UK law, to sit alongside the Data Protection Act 2018. Any organisation operating in the UK and processing data regarding UK residents must continue to comply with all related legislation.