Using personal data post-Brexit

Written by Leigh Foster

Now we have left the European Union, there are changes in how we use personal data in the UK.  There are some actions we now need to take to comply with data protection and data flow regulations as of 1st January 2021.

This impacts UK businesses and other organisations that receive and transfer personal data to/from organisations abroad including the European Economic Area (EEA), which includes the EU and operating in the EEA.  Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details.  Most organisations use personal data in their daily operations.  An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

Receiving personal data from the EU/EEA and already adequate third countries

The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months.  EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.

As a sensible precaution, during the bridging mechanism, it is recommended that your business work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.  For most organisations, the most relevant of these will be Standard Contractual Clauses (SCC’s).  The ICO can also provide more detailed guidance on what actions might be necessary.  That can be found here:  https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period

The list of the 12 third countries deemed adequate are:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The below gives an outline of the UK Government’s view on the general application of the Withdrawal Agreement personal data protection provisions:

Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data until full adequacy decisions are adopted by the EU and come into effect. In accordance with the Withdrawal Agreement, references to EU law should generally be understood as the law applicable on the last day of the transition period.

Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:

  • it was acquired before the end of the transition period and processed under EU data protection law; or
  • it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example, if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.

Now that the transition period has ended, EU data protection law has been converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law is therefore aligned. Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.

No doubt that further information will be published in the future and at Pertemps Managed Solutions we keep ourselves up to date with the latest changes to UK legislation.  For more information, please get in touch

Contact us to discuss your recruitment needs
Get in Touch

Latest Blog Posts

Shutterstock 749964067 (1)

Advantages of a contingent workforce

Mairead Simons, Recruitment Sourcing Partner, discusses the advantages of a contingent workforce

Read More

Travel restrictions on the UK job market

While the UK government has been taking cautious steps as the effects of the national vaccination efforts begin to show results, foreign travel restrictions remain for most holidaymakers and international visitors to the UK. The tourism, air and hospitality sectors have been markedly disrupted.

Read More

Shutterstock 337737683.Jpg

What to look for in a RPO provider

Recruitment Process Outsourcing (RPO) is a service that can allow an organisation to transfer all or part of its recruitment function to an external provider. An RPO can act as an extension of a company’s Recruitment/HR team and sit on site.

Read More