Most organisations work with Personal Data in one form or another and will have their Privacy Policy and Notices in place. Many of these are likely to refer to ‘EU GDPR’, this will need to be amended to ‘UK GDPR’ as from 21st January 2021 as the UK is now outside the EU. In case you are wondering, UK GDPR is effectively the same as EU GDPR and is in law under the UK Data Protection Act of 2018. Processing of UK residents’ personal data within the UK will continue to be governed by this Act, so in this case you will need to amend your privacy policies and notices to remove references to the EU and look out for clauses that state ‘no transferring of data outside of the EU’ to reword accordingly.
The next question is whether your organisation processes or transfers the personal data of EU or UK citizens between the UK and EU countries? This is likely if you are doing any kind of business with an EU country or have an EU-based office. The future regulatory framework will be determined by whether the UK is regarded as ‘adequate’, meaning it is a trusted entity for data protection purposes. The Brexit deal omitted this decision. You may think it is likely that the UK will be granted ‘adequacy’, especially as we helped draft the GDPR regulations, but this is by no means certain. One of the sticking points are the clauses added to the UK Data Protection Act of 2018 permitting the retention of bulk personal data for national security purposes. To allow time for the adequacy decision to be reached, the Brexit deal allows for a six-month transition period from January 1st, 2021 where data may continue to flow as before with no additional controls.
We will need to wait for the adequacy decision to understand what additional controls may be required. Currently, 12 non-EU countries are deemed to be adequate; Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. These countries can send or receive personal data with any EU country without any additional controls. We must wait and see if the European Commission determines whether the UK becomes the 13th.
In summary then, for the next six months, and subsequently if the UK is regarded as ‘adequate’ by the EU, data may flow between the EU and UK with no additional controls.
If the adequacy is not granted, we will become a true ‘third country’ where we will be required to use Standard Contract Clauses to enable the transfer of personal data and appoint EU-based representatives for GDPR purposes, all of which will further increase costs.
Whilst on the subject, as regards data transfers from the UK to US and vice versa, the Privacy Shield US-EU agreement is now invalid and can no longer provide regulatory oversight following a decision taken by the EU Courts in July 2020. This means you will need to have a contract in place to enable data transfers using standard contractual clauses (SCCs). For multi-nationals, SCC’s may be replaced by Binding Corporate Rules (BCRs). Additional controls governing potential disclosure to US government agencies will also be required.
Of course, the cyber criminals will be looking to exploit the change and accompanying uncertainty. Stay vigilant, never respond to unsolicited messages by sharing personal or financial details, and report suspect emails, text or voice messages to help protect your colleagues and your organisation.
Stay safe!
Peter Elliot, Cyber Security and Data protection specialist, Empiric Partners LLP.