On the 31 December 2020, the Brexit Transition period ended meaning that from 1 January 2021, the UK has been able to amend UK employment legislation underpinned by European law. The UK’s Data Protection Act 2018 is one example, which is underpinned by the European GDPR.
This article considers the impact of having left the EU on the UK’s Data Protection Act 2018 and the flow of personal data in and out from the UK and EU. Any reference to ‘data’ in this article means ‘personal data’.
Data Protection before Brexit
GDPR
The GDPR is an EU directive which applies to all organisations that are based in, or do business in the EU, regardless of size or sector. It was introduced in 2018 to bring about one single set of data protection regulations applicable to all EU member states in the same way. It also applies to competitors based outside of the EU in respect of any personal data that they process which belongs to EU data subjects.
In terms of the transfer of personal data, the GDPR required all organisations that were involved in the transfer of personal data must:
- Have a lawful ground for processing that personal data
- Provide certain information to data subjects
- Complete a data protection impact assessment where the transfer poses a high risk.
Data Protection Act 2018
The Data Protection Act 2018 (DPA) is the UK’s current law governing the protection of personal data. The content is primarily derived from the General Data Protection Regulation (GDPR) as the UK was required to adopt the GDPR back in 2018. Even though the UK has had data protection laws in place for some time; it is the DPA of 2018 which includes requirements set under the European GDPR directive.
Data Protection after Brexit
Throughout the Brexit trade negotiations, the UK Government have committed to ensuring that the UK maintain the high standards of data protection moving forward. A consequence of the transition period having ended is that the UK are free to amend or remove any of the existing employment rights which derive from the EU and so, the UK is free to make any changes to the DPA as it deems necessary.
UK GDPR
The UK GDPR is new and is the UK’s version of the retained GDPR and came about as part of the European Union Withdrawal Act 2018 and as amended by schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU exit) Regulations 2019.
It has also been defined in section 3(10) of the DPA 2018 which means that from 1 January 2021 for UK based organisations, the legal frameworks for managing personal data come from both the DPA 2018 and the UK GDPR.
This may seem a duplication and it may well be that in time, these two pieces of legislation become amalgamated. But at present, the requirements laid down in both pieces of legislation must be adhered to.
The UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to offering goods/services to individuals in the UK or monitoring the behaviour of individuals taking place in the UK.
Key change following Brexit
When the UK was part of the EU and EEA, data could be transferred freely between all other member states governed by the GDPR. However, with the UK now being outside of the EU and EEA, it means that the GDPR now regards the UK as a ‘third country’ and so technically the free transfer of data ended, and additional safeguards are required to enable the flow of data to continue.
Although the UK is now classed as a ‘third country’, data transferred (sent) from UK organisations to members of the EEA have not been restricted thanks to provisions under the withdrawal arrangement. Plus, under the trade deal, the EU will temporarily delay restrictions on data received by UK organisations from those in the EEA for four to six months.
So, even though from 1 January the UK became a third country for the purpose of GDPR, UK organisations may still send and receive personal data from the EEA, for the time being, giving UK businesses more time to prepare.
It is hoped that during this time, the UK will receive what is known as an ‘adequacy decision’ which is essentially approval from the European Commission that the UK is a country which protects personal data up to the standards of the EU GDPR – and so is safe to freely send data to without organisations having to put their own safeguards in place. As the UK has essentially adopted the GDPR (the UK GDPR) it is fully expected that this will be the case.
Welcomingly, on 21 February 2021, the European Commission published its draft decisions and found the UK to be adequate. This draft decision must now be considered by the European Data Protection Board and a committee of the 27 EU Member Governments. If they approve the draft decision, it means the European Commission can formally adopt them as legal adequacy decisions, meaning the UK will be able to allow the free flow of data under the EU GDPR transfer rules as it has done so in the past. Whereas should the adequacy decision not be adopted then the UK must comply with the EU GDPR transfer restrictions, as are currently in place for all other third countries.
Potential Implications for International Data Transfers
Under the DPA and GDPR, there are many rules protecting (and limiting) the collection, processing, storing and deletion of personal data, including requirements around security, impact assessments and transfers of personal data between third parties and international transfers.
As previously outlined, all transfers of personal data are subject to the general requirements of the GDPR. For international transfers however, organisations must also satisfy the requirements of Part 3 Chapter 5, articles 44 to 50 of the GDPR which is concerned with the transfer of personal data to third countries or international organisations.
Should the adequacy decision not be adopted, then for UK businesses who currently transfer personal data to an EU or EEA state must comply with this chapter and articles. In which case, it will be crucial to consider the following:
Is the transfer caught by the data protection requirements on international transfers?
In considering whether the transfer is caught by the data protection requirements on international transfers, then all the following must apply:
- There is a transfer of data and that the data is personal data and/or special category personal data
- The recipient is not subjected to the GDPR
- The recipient is a separate organisation or individual (even if the recipient is another company within the same corporate group)
- The data transferring constitutes
Is there an alternative to transferring personal data outside the UK?
For example, are you able to make the data anonymous so it is never possible to identify the individuals? Or using an alternative supply that is based within the UK?
Is there a lawful ground for processing under Article 6 (lawful basis for processing) and Article 9 (processing of special categories of personal data)
Consider therefore a lawful ground for processing (which could be consent, contractual performance, compliance with a legal obligation) and then establish whether you can transfer under one of the valine mechanisms relevant to international transfers (adequacy decision, appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs)
Is there a lawful mechanism for the international transfer (adequacy decision, safeguards), if not, what should be done?
Where there is no lawful mechanism, the transfer of data must be suspended. However, organisations can seek alternative mechanisms in which the transfer of data internationally may be possible, such as through derogation, which you can read more about via the ICO’s website.
International Transfer Requirements
Having considered the points in the above section, it is important to then understand what your obligations are in respect of transferring personal data to an EU / EEA country, in the situation whereby the adequacy decision has not been adopted.
- First of all, the transfer has to be necessary for any of the law enforcement purposes
- Secondly, the transfer must be based on either having an adequacy decision adopted or where appropriate safeguards are in place. Or in the absence of these two, then where there are certain specified circumstances
- Finally, the transfer is to a relevant authority in the third country or is a relevant internal organisation (i.e., an international body that carries out functions for any of the law enforcement purposes).
All these three requirements must be met. Although, it is still possible to transfer personal data to an EU/EEA country and to a body which is not a relevant body if certain specified safeguards are met. If this is the case, all the following four conditions must be met:
- The transfer is strictly necessary in a specific case for the performance of a task by the transferring controller as provided by law for any of the law enforcement purposes
- The fundamental rights and freedoms of the data subject do not override the public interest concerning the transfer
- The transferring controller considers that the transfer to a relevant authority in the third country would be ineffective or inappropriate
- The transferring controller sets out the specific purposes for which the data may be processed by the intended recipient and informs them of these.
What next?
It is clear from this legal position, that it is a crucial decision that the UK is waiting upon from the European Data Protection Board and the committee of the 27 EU Member Governments. These conditions also clearly show the seriousness and importance in the handling of personal data and it must not be taken likely.
The decision by the European Data Protection Board on whether the draft adequacy decision of 21 February can be adopted is therefore very significant.
Practical Considerations
Whilst we wait the final decision on whether the UK, as a third country, has as an adequacy decision granted, we recommend all UK based employers:
- Continue to comply with part 3 of the DPA 2018 and follow current ICO guidance
- Use the ICO’s interactive tool to help you understand whether the end of the transition period affects you. https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/end-of-transition-interactive-tool-for-small-businesses/
- If you are a UK business with no contacts, employees, or customers in the EEA then nothing much more needs to be done. Although you may wish to review your existing work practices to ensure that they are compliant with UK data protection requirements. You can use our GDPR Risk and Compliance Audit tool to do this. By completing the risk audit, it will provide you with a report explaining which areas need updating to be compliant.
- If you process the personal data of any individual who resides in the EEA, you will need to comply with both UK and EU data protection regulations in respect of how you process their data, regardless of the geographical location of your organisation. It would be advisable to designate a representative within the EEA if your organisation has a presence within the EU and EEA.
- Review data flows to identify where you receive data from and/or send data to, within the EU and EEA.
- If you receive personal data from the EU and EEA, we advise ensuring you have put appropriate safeguards in place ASAP and before the end of April in case the European Commission’s draft adequacy decision is not adopted.
- Liaise with any European representatives or organisations you may work with about what if any additional safeguards need to be in place to ensure the legal flow of data between your UK operations and those based within the EU.
- If the UK does not receive an adequacy decision, it is very likely you will need to put in place ‘standard contractual clauses’ as a safeguarding measure in respect of data coming from the EEA. These are a set of rules which deal with how you transfer data from the EEA to the UK business.
- Another safeguarding measure for data coming from the EEA would be to undertake a risk assessment relevant to the data transfer. The Information Commissioner’s Office has the ‘keep data flowing’ tool that you can use to do this. https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/
- Where you do have data flow from the UK to within the EU, document the new basis for the data transfer.
- Where you transfer data to the EEA, then there is no action required. You can still send the data, however, be sure that all your privacy information and other records are up to date. The UK GDPR currently does not require any safeguards for transfer of data to the EEA.
- If you collected data before 31 December 2020 concerning employees based in an office, branch, or other established presence within the EEA (non-UK data) then this will be known as ‘legacy data’ as it is subject to the EU GDPR regulations as of 31 December. (This is also known as the ‘frozen GDPR’). You may still use the latest information you hold regarding where people were living, up to 31 December 2020. Personal data acquired from 1 January 2021 that is processed based on the Brexit withdrawal agreement is also subject to the frozen GDPR.
- Following on from point 12; it is advisable to undertake a one-off exercise to identify the data you collected before the end of 2020 about employees living outside of the UK at the time. This will be required for compliance purposes.
- Review your company’s privacy information, internal records and logs to identify what may need updating should the draft adequacy decision not be adopted.
- All those responsible for and involved in data protection within your organisation should be kept informed, kept up to date on the transition period and provided with appropriate training on managing data safely and in line with data protection requirements.
Further Information
- Watch the recent webinar recording ‘Data and GDPR – Compliance and Implications after Brexit’
- To conduct a data and compliance risk audit of your current working practices you can complete our risk audit, where you will be provided with a report summarising steps you need to undertake to maintain compliance.
- Watch on demand, our previous GDPR webinars:
- GDPP Focusing on the implications for HR
- GDPR Compliance (Stage 1 Audit Webinar)
- GDPR Compliance (Stage 3 DPIA and Privacy by Design)
- GDPR Compliance (Stage 4 Record Keeping)
- GDPR Compliance (Stage 5 Breach Notification Webinar)
- GDPR The Difference between Privacy and Consent – getting it right!
- Job References and GDPR – pitfalls and quick tips
- Preparing for GDPR
- The future of subject access request under the GDPR
- Your new General Data Protection Policy
- Information Commissioners Office – Data protection for organisations https://ico.org.uk/for-organisations/
- European Commission – Adequacy decisions https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- European Commission Announcement dated 19 February 2021: Data Protection: European Commission launches process on personal data flows to UK https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661
- General Data Protection Regulations https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679