On the 31st December 2020, the Brexit transition period came to an end. The Brexit Trade Deal negotiated on the 24th December 2020 allows for the delay of any changes for at least 4 months, giving your organisation more time to prepare.
Does this apply to my organisation?
If your Organisation does not have offices, branches or other establishments in the EEA (European Economic Area) but you undertake data processing of individuals within the EEA in relation to goods and services that you offer then the below checklist will apply to you. This will not apply to you if you send and receive data into and from other countries (including European countries) directly with consumers. If, however you store data in other countries via a cloud infrastructure for example, this will still apply to your organisation.
Our platform can help you simplify this process by mapping out your data flows so you can see the countries you send your data to, the types of data you hold and the rules to follow under each circumstance.
How can my organisation prepare?
1. Map your data flows
You need to identify and map any flow of data between your organisation and the EEA. It is also helpful to identify the time and date of these data transfers so that you can identify new data being collected now that the transition period has ended and those that were collected before the end of the transition period (1st January 2021) which will be considered as ‘legacy data’. Legacy data is personal data of individuals outside of the UK being processed within the UK, which were either acquired before the transition period ended, or where it is being processed on the basis of the Withdrawal Agreement, after the end of the transition period. Any data transferred before will be subject to EU GDPR whilst data collected after this date would be subject to UK GDPR rules. EU law refers to the law applicable on the last day of the transition period.
Note: the ICO advises that large volumes of data, special category data (such as medical records) or criminal convictions, and business critical data should be mapped first and detailed fully.
2. Update your Records of Processing Activities (ROPAs)
Once you have identified and mapped out your data, your organisation should update your Records of Processing Activities (ROPAs) accordingly to evidence your compliance.
3. Identify the relevant safeguards
As the UK is now considered a ‘third country’, this means that transferring data between the UK and the EEA would involve extra safeguards that were not needed before Brexit. Until a ‘decision of adequacy’ has been made which would deem the UK as having met the EU data protection standards and thus able to transfer data freely, these safeguards can be in the form of:
SCCs - The most common for SMEs are Standard contractual clauses (SCCs) which are contracts that have been pre-approved by the EU that allows a company to continue transferring data between the EEA after the UK leaves the European Union. This is only the case where SCCs provide for “essentially equivalent” protection as in the EEA and the ICO has a useful tool for SMEs to determine whether this is the right form of safeguard for your organisation.
BCRs - For larger corporations, it is more common to adopt binding corporate rules (BCRs) as they are suited for international transfers between separate entities within the same organisation and thus better suited to global businesses. They are internal codes of conduct which apply to multinational groups.
There are a number of exceptions to this as set out in Article 49 of the UK GDPR under which you may be able to continue transferring data such as:
· Explicit consent from the individual to have their data transferred between the EEA and the UK in this precise manner and not just a general acceptance from the individual;
· Performance of a Contract in which you have a contract with the individual whose data you are transferring and the transfer itself is only on an occasional basis;
· Reasons of Public Interest or Exercise of Legal Claims, both of which involves following prescribed laws and regulations;
· Transfer of public registers;
· In the Vital Interest of someone unable to consent; and
· Compelling legitimate interest of which the transfer is a one-off transfer.
Further information on what constitutes the above-mentioned exceptions complete with examples can be found on the ICO website.