The end of the Brexit transition period is upon us. As of 1 January 2021, the UK is a 'third country' under the EU General Data Protection Regulation (GDPR), though the transition period has been extended for up to six months for EU data protection purposes, during which time the UK will not be treated as a third country (discussed in more detail below). Organisations need to consider the following key points to ensure continued compliance with the GDPR:
1. Appoint a data protection representative.
- You will need to appoint an EU representative for data protection purposes where you have no office, branch or other establishment in the European Economic Area (EEA) but:
- you process personal data belonging to individuals located in the EEA; and
- you either:
- offer goods or services to such individuals in the EEA; or
- monitor such individuals' behaviour in the EEA.
- You also will need to appoint a UK representative if you process personal data of individuals in the UK in relation to offering goods or services to, or monitoring the behaviour of, individuals in the UK, but you have no office, branch or other establishment in the UK.
2. Loss of one-stop-shop protections. Consider restructuring your data processing operations and moving your main establishment to an EU Member State so as not to lose the benefit of the GDPR's one-stop-shop regime.
3. Address potential new 'restricted transfers'. Transfers of personal data from the EEA to any 'third country' are 'restricted transfers' under the GDPR. This means they require a transfer mechanism such as reliance on a relevant adequacy decision or a safeguarding mechanism such as the Standard Contractual Clauses (SCCs). The UK-EU Trade Agreement agreed to on 24 December 2020 extends the transition period beyond 31 December 2020 for data protection purposes to allow the European Commission to complete its adequacy assessment of the UK's data protection laws. This 'Specified Period' begins on 1 January 2021 and shall last four months (extended to six months unless either the UK or EU objects). If an adequacy decision is in place before the end of this six-month period, the Specified Period will end. The implications of this are as follows:
- During the Specified Period, transfers of personal data from the EEA to the UK will not be considered transfers of personal data to a 'third country' and can continue under the GDPR without the implementation of additional safeguards.
- Following the expiry of the Specified Period — and if the UK has not obtained a finding of adequacy during this period — such transfers of personal data from the EEA to the UK will be 'restricted transfers' and will require a safeguarding mechanism such as the SCCs.
However, if the Commission finds that the UK's data privacy laws are adequate, the UK can continue to transfer personal data freely from the EEA to the UK without requiring any such safeguarding mechanism.
To safeguard against any future interruption to the free flow of personal data between the EEA and the UK — for example, where a finding of adequacy in the UK is not achieved upon expiry (and any extension) of the Specified Period — we suggest UK-based organisations consider implementing cross-border personal data transfer agreements incorporating the SCCs without delay, if these are not already in place.
4. Update documentation. Organisations will need to update data privacy-related documents, including privacy notices, data processing addenda and similar contractual arrangements, and internal policies and records. You may need to update existing data protection impact assessments to address, for example, that:
- the UK is no longer an EU Member State;
- the GDPR no longer domestically applies in the UK and instead the processing of personal data in the UK is governed by the UK GDPR;
- transfers to the UK from the EEA are 'restricted transfers' and will require a safeguarding mechanism (e.g., reliance on an adequacy decision or execution of SCCs); and
- details of your appointed EU and/or UK GDPR representative should be included in your privacy notice. Alternatively, you can do so in the upfront information you provide to data subjects before you collect their data.
Over the next few weeks, Katten will follow up with additional analysis on post-Brexit GDPR compliance.
Georgina Vale, a trainee solicitor in the Intellectual Property group, contributed to this advisory.