Using personal data post-Brexit

Written by Leigh Foster

Now we have left the European Union, there are changes in how we use personal data in the UK.  There are some actions we now need to take to comply with data protection and data flow regulations as of 1st January 2021.

This impacts UK businesses and other organisations that receive and transfer personal data to/from organisations abroad including the European Economic Area (EEA), which includes the EU and operating in the EEA.  Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details.  Most organisations use personal data in their daily operations.  An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

Receiving personal data from the EU/EEA and already adequate third countries

The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months.  EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.

As a sensible precaution, during the bridging mechanism, it is recommended that your business work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.  For most organisations, the most relevant of these will be Standard Contractual Clauses (SCC’s).  The ICO can also provide more detailed guidance on what actions might be necessary.  That can be found here:  https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period

The list of the 12 third countries deemed adequate are:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The below gives an outline of the UK Government’s view on the general application of the Withdrawal Agreement personal data protection provisions:

Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect. In accordance with the Withdrawal Agreement, references to EU law should generally be understood as the law applicable on the last day of the transition period.

Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:

  • it was acquired before the end of the transition period and processed under EU data protection law; or
  • it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example, if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.

Now that the transition period has ended, EU data protection law has been converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law is therefore aligned. Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.

No doubt that further information will be published in the future and at Pertemps Managed Solutions we keep ourselves up to date with the latest changes to UK legislation.  For more information, please get in touch

Contact us to discuss your recruitment needs
Get in Touch

Latest Blog Posts

170915 Pertemps Shot 2 0080.Jpg

Changing your approach - the importance of adapting your customer service

Customer expectations were shifting in this digital era and have now evolved further with the pandemic forcing customers to change purchasing habits. Purchasing preferences have developed and how quickly clients adapt to these will be vital.

Read More

The changing nature of community relationships in modern businesses

In a changing business environment and landscape, questions have arisen surrounding how organisations can continue to foster effective relationships with local communities given the increased influence technology has had on the modern enterprise.

Read More

170915 Pertemps Shot 3 0433.Tif.Jpg

Talent Acquisition in a post Covid world

Talent acquisition has been dramatically shaped by the COVID-19 pandemic and some of the challenges that have arisen at the start seems like a distant memory. How we now move forward and embrace the changes of an ever-progressive industry will separate companies and their hiring strategies.

Read More