With the UK leaving the EU and the end of the transition period looming, Anna Drozd and Emilio Miranda-Graham from our policy teams outline how to get ready for data protection changes in 2021.
The EU and the UK are still negotiating their future partnership. It is also true that both sides are in consultation regarding an adequacy decision from the European Commission which would allow for seamless flows of data from the EU to the UK (which once the transition period ends will be a third country).
Unfortunately, we have no guarantee of the outcome as yet. The UK Government has already determined that it considers all EU 27 and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the UK to the EU/EEA remain unaffected.
There are several steps that you can take now in order to get ready for 1 January 2021.
1. Make sure you are up to date with all the available information
There is already a wealth of guidance notes that advise you what steps you should take to prepare for the end of the transition period:
The UK Government published its guidance on ‘Using personal data in your business or other organisation after the transition period.’
The Information Commissioner’s Office (the UK data protection regulator) published its guidance on ‘Data Protection at the end of the transition period.’
The Law Society has published general guidance on ‘Preparing for the end of the transition period’ and ‘End of transition period guidance: EU data flows.’ We also held a webinar on EU-UK data flows after 2020 which you can watch here.
Do not forget to check the relevant guidance from the European Data Protection Board (EDPB) for all matters related to the General Data Protection Regulation (GDPR).
2. Review your data flows from the European Economic Area (EEA)
You should take time to analyse your or your firm’s data flows from the EEA. This includes not only transfers of personal data from the EEA to the UK but also onward transfers of such data from the UK to other third countries (nations that are outside of the GDPR zone ie, EU member states, Iceland, Liechtenstein and Norway).
3. Review GDPR safeguards
If the UK is not granted an adequacy decision by the EU, the transfers of personal data from the EEA to the UK will need to rely on several safeguards that are listed in the GDPR (Art 46).
You or your firm should review which of the safeguards set out under the GDPR is best suited to the needs of your firm. The safeguards are binding corporate rules (BCRs), standard contractual clauses (SCCs), certification and codes of conduct, and derogations (the latter applying to EU data exporters only). You may find the ICO guidance on appropriate safeguards helpful in assessing your needs.
Note that the SCCs are currently being reviewed by the European Commission and the revised text is expected by the end of the year. Moreover, following the judgment of the Court of Justice of the EU (CJEU) in Schrems II, there is now a higher standard of due diligence for data exporters and importers who use the SCCs.
The European Data Protection Board (EDPB) is currently working on specific guidance on how to comply with the judgment. Until then you can check their frequently asked questions (FAQs) which were published shortly after the judgment.
4. Consider appointing an EU representative
If you or your firm will be processing EU personal data but do not have an office in an EU member state, you may need to appoint an EU representative and update your privacy notices to include that representative’s contact details.
The ICO has published informative guidance on this subject which is available on their website. In addition, the EDPB published guidance on the territorial scope of the GDPR.
5. Review your privacy policies
Your firm should review their privacy policies to make sure that your clients understand the movements of their personal data both inside and outside of the EU. ICO guidance on how to draft privacy information is available on their website.
6. Show that you comply with relevant laws
You should take action to show the steps you or your firm has taken to ensure compliance with the relevant data protection regime following the end of the transition period. These can include (but are not limited to):
- devoting proportionate and reasonable resources to identifying the risk associated with you or your firm’s international data transfers
- mitigating any risks identified with appropriate mechanisms such as data subject consent, standard contractual clauses (SCCs), binding corporate rules (BCRs) or certification and codes of conduct
- supporting this with the necessary governance, internal controls and staff training
7. Consider other aspects of local privacy laws
If you or your firm have an office in another EU member state or you process EU personal data, you should consider aspects of local privacy laws in that country. This is because the GDPR permits local variations, for example, in relation to processing special categories of data (such as personal data revealing race, national origin, political opinions, religious or philosophical beliefs, health data, data concerning a person’s sex life or sexual orientation).
Note that this is not an exhaustive list of special category data.
8. Consider your nomination of Lead Supervisory Authority
If you or your firm have an office in another EU member state and have nominated the ICO as your Lead Supervisory Authority (LSA) under the GDPR’s consistency mechanism, you will need to consider nominating another EU regulator as your LSA for EU personal data.
The alternative LSA you select should be chosen in accordance the with the requirements under the GDPR. You can find guidance from the EDPB on choosing the LSA.