From the 1st January 2021, a new Data Protection regime will be in place in the United Kingdom. In short, very little changes. The UK will have its own version of the GDPR (called the UK GDPR) which forms part of UK law under the Data Protection Act 2018.
The UK Government, under both the Conservative Manifesto and the ‘Political Declaration’ part of the withdrawal agreement signed last year, is committed to a high level of Personal Data Protection. The UK, back in the 1980s, was after all one of the first countries in Europe to develop such a law having noticed a changing technological world. While the GDPR isn’t a perfect piece of legislation, it has set the bar for personal data related laws around the world with countries from the US through to Egypt now deploying legislation that follows the GDPR model.
The information and guidance in this section is based on resources and guidance from the Information Commissioner’s Office, the British Chambers of Commerce and our Essex-based Data Protection specialist partner, Lighthouse IG Ltd. This guidance will help Chambers Members ensure that they can continue to send personal data to and from the European Economic Area (EEA) after the transition (the EEA is the members of the EU plus Iceland, Norway and Liechtenstein).
The key, which every organisation must do in its preparation for our departure from the EU, is to begin by knowing what you are doing and where your personal data comes from and goes to. Only then can you find out if our EU departure will affect your Data Protection obligations in any way.
The guidance is broken up into your circumstances and what you are doing.
UK only relationships:
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance after the UK has left the EU.
The ICO guidance for you can be found here.
EU to UK & UK to EU relationships:
If you are a UK business or organisation that receives personal data from contacts in the EU, you need to take extra steps to ensure that the data can continue to flow after the UK leaves the EU. If the UK does not secure a trade agreement (a treaty) with the EU when we leave, there will be issues and disruption to the flow of data leaving the EU to the UK. The advice for you can be found here.
If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection laws after the transition. You may also need to designate a ‘representative’ in the EEA (a legal entity belonging to you that is your legal ‘presence’ within the EEA.
There is some further guidance for those circumstances here.
UK to anywhere else relationships:
For the short-term things should remain as they were before we left the EU as the ICO & UK Government are planning to simply copy what was in place with the EU Commission. The list of ‘safe countries’ and other methods for getting data out of the UK/EU are effectively the same and have the same legal standing post our departure. Over time, this may change as the Government seeks to bring them into line with UK laws and practices, but for the short term there are currently no major roadblocks envisaged.
Further support and guidance:
The Chamber will be continuing to run its practical training sessions on this aspect of Data Protection plus others. Keep an eye out for future courses or contact us with any specific questions you may have, and we will help you as best we can.
Lighthouse LG Ltd are experienced practitioners in how to collect, use and manage information and data, not just personal data. Since 2018 they have been working with the Chamber to deliver arange of training courses on Data Protection.