Over the last few years, the General Data Protection Regulation (the GDPR) has played a pivotal role in our legal landscape. Its purpose (alongside the Data Protection Act 2018) is to govern and regulate the data protection regime here in the UK, as well as across EU.
Although we left the EU on 31 January 2020, during the UK-EU transition period (which will end on 31 December 2020), the UK has continued to be treated, for most purposes, as if it was still an EU member state. This means that most EU law has continued to apply and will continue to do so until the end of the transition period. This includes the GDPR.
But what happens to our data protection regime when the transition period ends?
The UK’s regulatory body the Information Commissioner’s Office (the ICO) has said that the rights and obligations which are enshrined in the GDPR will continue to apply as normal. This is some comfort to those organisations who worked so hard since the GDPR came in to force to ensure its compliance with the new regime. They will be well placed to meet compliance after our exit from the EU.
But what about organisations who receive or share data about EU citizens? Currently, as a member state, this is relatively easy to do. However, this is likely to change come 1 January 2021.
Article 27 of the GDPR requires organisations that are not established in the EU but systematically process personal data of EU citizens on a large scale, to appoint an EU-based representative to act as their EU facing point of contact for these citizens and local data protection authorities.
If the UK can’t provide an “adequate” level of protection (that is, one that offers an essentially equivalent level of data protection to that which is applicable in the EU) for personal data processed in the UK from the EU, UK organisations will be faced with having to enter into standard contractual clauses, developing binding corporate rules, or using other mechanisms or derogations to be able to receive personal data from the EU.
It is most likely to affect small to medium-sized organisations, as larger bodies will probably have an established EU presence, however, is vital that if you are any type of organisation that falls into this category you start to take steps now to ensure you will be compliant post-transition.
A first step would be to assess what information you hold and how it flows in your organisation by undertaking a data audit. If you fail to review your processes and commit a breach of the GDPR, there is the potential of high fines from the Information Commissioner Office.