Written by Leigh Foster
Now we have left the European Union, there are changes in how we use personal data in the UK. There are some actions we now need to take to comply with data protection and data flow regulations as of 1st January 2021.
This impacts UK businesses and other organisations that receive and transfer personal data to/from organisations abroad including the European Economic Area (EEA), which includes the EU and operating in the EEA. Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations. An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.
Receiving personal data from the EU/EEA and already adequate third countries
The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.
As a sensible precaution, during the bridging mechanism, it is recommended that your business work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data. For most organisations, the most relevant of these will be Standard Contractual Clauses (SCC’s). The ICO can also provide more detailed guidance on what actions might be necessary. That can be found here: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period
The list of the 12 third countries deemed adequate are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The below gives an outline of the UK Government’s view on the general application of the Withdrawal Agreement personal data protection provisions:
Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect. In accordance with the Withdrawal Agreement, references to EU law should generally be understood as the law applicable on the last day of the transition period.
Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:
- it was acquired before the end of the transition period and processed under EU data protection law; or
- it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example, if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.
Now that the transition period has ended, EU data protection law has been converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law is therefore aligned. Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
No doubt that further information will be published in the future and at Pertemps Managed Solutions we keep ourselves up to date with the latest changes to UK legislation. For more information, please get in touch