Data privacy legislation is not known for being easy to understand. Otherwise, who would need to pay for lawyers, right?! The complexity of data privacy legislation is compounded when we are dealing with Brexit and cross-border data transfers. Lucky for you, our in-house GDPR lawyers love this stuff and have written this guide especially for SMEs in the UK and Europe.
As of the 1st January 2021, the UK is now a third country under the EU GDPR legislation. This means that British businesses are now obligated to conform to the UK Data Protection Act which incorporates the UK GDPR. Both British and European companies need to ensure they understand how they can abide by data protection laws and share information with each other whilst conforming to European and British legislation.
In reality, not much will change for most businesses. The UK has already incorporated the entire EU GDPR legislation into UK law with the Data Protection Act 2018 and the UK GDPR (which is a UK version of the GDPR with some small changes). This means that all parts of the GDPR are still applicable to UK businesses, but now under the UK Data Protection Act (DPA). For some tips and tricks on how to abide by the GDPR as a small business in general, you can see last week’s articles on 7 steps to GDPR compliance for small businesses and the 7 elements of GDPR consent management for small businesses. In this article, we will guide you through the 7 key points you need to know about the UK GDPR after Brexit. A small warning is in place: We are going to use a lot of acronyms, so put on your reading glasses and pay attention.
GDPR and Brexit: Does the UK still need to comply?
Firstly, you should always see whether the GDPR is applicable to your business and your particular processing activities. Processing is set out in the GDPR and means doing basically anything with a piece of personal data, including collecting, changing and exchanging.
The GDPR is applicable to data processing related to EU residents or citizens, no matter where the processing takes place. The GDPR could therefore be applicable to your business, even if you’re based outside the EU. This is why, sometimes, even American companies like Facebook have to abide by the GDPR, and why they’ve gotten in so much trouble about it.
If you don’t process data from European residents or citizens, then the GDPR does not apply to you. If you are based in the UK and process personal data from UK residents or citizens, you need only to look at UK laws. In preparation for Brexit, the UK government wrote their own version of the GDPR, because despite not being part of the EU anymore, they still wanted Briton’s privacy to be protected.
To make things clear, easy and not at all confusing, the UK government called their version of the GDPR the “UK GDPR”. But we understand, because the UK version of the GDPR is very (and we mean very!) similar to the EU version. This UK GDPR is applicable to your business if you process data from UK citizens, even if that processing takes place outside of the UK.
It is therefore very possible that both versions of the GDPR, both the British and the European versions, apply to your business. This is the case if you process data from British as well as European citizens. Even if you do that from a sunny island somewhere in the Caribbean, in which case we’d love to visit you.
Now, what is this whole UK GDPR Brexit thing going to change?
Nothing is going to change (probably)
Good news; not a lot! The European Commission has published a draft adequacy decision. If adopted, this decision will allow for EU to UK data transfers to happen with little change for most businesses. This basically means that the European Commission is content that the UK data privacy legislation (namely the Data Protection Act and UK GDPR) has adequate safeguards in place which are at least equal to those in the EU GDPR. We should have a final decision from the European Commission about this very soon.
This makes sense, because from a legal point of view, both versions of the GDPR are very similar. So if there is no adequacy decision granted by the European Commission, they would basically be saying that the EU GDPR is not very good. Which is not going to happen, of course.
Only have data on UK nationals? Then only worry about the UK data privacy legislation (DPA and UK GDPR)
If you never transfer personal data from or to the EU or EEA, nor hold any data about EU nationals, then you only need to worry about the UK GDPR and the Data Protection Act. The adequacy decision will have no impact on your business, because EU law or decisions don’t apply to you anymore. Of course, you should still take some action to become UK GDPR compliant. Luckily, those steps are the same for becoming EU GDPR compliant as a small business, and we already wrote them down for you, here: 7 steps to GDPR compliance for small businesses
Transferring data from the UK to the EU? Then no problem
The UK government has stated that they recognise adequacy between the DPA/UK GDPR and the EU GDPR which means there are no restrictions on sending personal information of UK nationals to EU/EEA organisations, as long as they themselves conform to EU GDPR. Your business has an obligation to verify that the receiving organisation is GDPR compliant. A great way to do this is putting a data processing agreement in place between your own organisation and the recipient, in which the security measures taken to protect the personal data are specified.
We will talk more about data processing agreements in one of the later installments of our Transformer Series, where we set out the 7 GDPR documents every small business should have in place. In the meantime, you can have a look at the ICO’s website.
Transferring data from the UK or EU to non UK or EU/EEA countries? Then you need some extra safeguards
For UK/EU to non UK/EU member state data transfers, Brexit hasn't changed anything. For data transfers to countries outside of the GDPR sphere of control, you always needed extra safeguards. This includes data transfers to the U.S., and is for instance the case when you host your customer’s personal data on Google or Amazon data centers located in the U.S..
The easiest way to take these additional safeguards is through something called Standard Contractual Clauses (SSCs). Essentially, SSCs are just clauses in a contract you have with the receiving organisation stating that they must protect the data (of which you are still owner) at a level compliant with the GDPR (either the UK or EU flavour, depending on where you are based).
The UK government has agreed adequacy with some countries including Argentina, Canada, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand and Switzerland. This means that transfers to these countries will not require SSCs, because the British government has already decided that they take data protection seriously and don’t need extra safeguards. The EU has agreed adequacy with almost the same list of countries as you can see here.
EU/EEA to the UK is where it could get tricky
If the EU decides that the UK DPA/UK GDPR has adequate safeguards, then things can carry on as normal (with the exception of the next two points). If adequacy is not granted by the EU, companies based in the UK, who process data from European citizens or residents, will need SCCs in each contract with receiving organisations.
As a British business, do you do a lot of business in the EU or have a lot of EU customers? Then you need an EU representative
If you regularly offer goods or services, or monitor the behaviour of, EU nationals then you will need an EU representative. This will be true regardless of any adequacy decision. This EU representative must be a business, either controlled by you or somebody else, who you approve to act on your behalf for any EU GDPR requests (e.g. data subject access requests, which we have discussed in this article on GDPR compliance for small businesses).
This EU representative needs to be set up in an EU or EEA state where at least one of the individuals whose personal data you are processing in this way are located (e.g. if you have Dutch customers you need a Dutch representative, if you have Dutch, French and German customers you need to have a representative in Holland, France or Germany).
The requirements for a representative are set out on the ICO’s website.
For all Naq customers, in case (at least one) your data subjects are located in the Netherlands, Naq Cyber BV (the Dutch parent company of Naq Cyber UK Ltd), is able to act as your representative in the EU. If your customers are not located in The Netherlands we will help you find a suitable party to act as your representative.
As a European business, do you do a lot of business in the UK or have a lot of UK customers? Then you need a UK representative
As we stated before, the UK GDPR is almost a carbon copy of the EU GDPR. This includes the requirement about representatives. If you regularly offer goods or services to, or monitor the behaviour of, UK nationals you need a UK representative. The requirements for a UK representative after Brexit are described here.
And that’s it: Everything your small business needs to take into account when thinking about the GDPR after Brexit. We know it might be a bit confusing, but this guide has hopefully cleared up some of the cloudy waters of data protection rules after Brexit.
If you would rather not have to worry about how to handle the EU GDPR, the UK GDPR, representatives and data subject access requests, so you can focus on growing your business, sign up to Naq today and we will worry about it for you.