Following the UK’s exit from the EU, the General Data Protection Regulations will be retained in domestic law and will be referred to as the UK GDPR. Going forward, the UK GDPR will not necessarily incorporate any changes made to the EU GDPR.
The UK is now a ‘third country’. Third countries are states that fall outside of the GDPR zone, the EEA (all EU member states plus Norway, Liechtenstein and Iceland).
The EU GDPR restricts transfers of personal data to third countries, unless personal data is protected in another way or an exception applies.
The UK Government is currently seeking an adequacy decision from the European Commission which, if granted, will allow for the free flow of personal data from the EU to the UK. At the time of writing, January 15 2020, this has not yet been granted. The UK Government has announced an agreement with the EU for personal data to flow freely from the EEA to the UK, while an adequacy decision is reached.
Most data protection rules affecting small to medium-sized businesses and organisations will remain the same. However, the Information Commissioners Office requires all business to ensure they comply with the current GDPR requirements and are encouraging all businesses to review their privacy information and documentation to identify any minor changes that may be needed now the transition period has ended.
Transfers of data from the UK to the EEA are permitted and you don’t need to take any additional steps.
If you already comply with the GDPR and have no contacts or customers in the EEA, you simply need to prepare for data protection compliance as set out above.
If you receive personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow.
For most businesses and organisations, incorporating the standard contractual clauses in your standard contract are the best way to keep data flowing to the UK.
If you have an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations.
If you are only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will still need to comply with the EU GDPR in relation to these activities.
In most cases you will also need to appoint a suitable representative in the EEA to act as your local representative with individuals and data protection authorities in the EEA.
Amy Peacey is a Senior Associate in the Southampton office at Clarke Willmott LLP. She specialises in advising businesses on all matters relating to commercial contracts, including compliance with data protection legislation.
Bristol engineering design consultants Hydrock has been acquired by Stantec. Hydrock has over 950 employees…
Plans from waterside developers Peel Waters to build a new business campus at Chatham Docks…
Europa Road has signed a contract with DPD Netherlands to run new daily line hauls…
Pure Human Resources, an HR, recruitment and training consultancy based in North Baddesley, Hampshire, is…
The Science Based Targets initiative (SBTi) has approved the near-team emissions reduction targets of medical…
Bagshot-based real estate investor and developer Sixpenny Group has acquired a 45,000 sq ft residential-led…