Ready, Steady, Brexit: Your Data Protection checklist for 1 January 2021

With not long to go until the end of the Brexit transition period, organisations are busy making preparations for the change. Data protection compliance should also be on your to do list. If you’ve left this to the last minute, we’ve put together a short list of areas to check and actions that may be required.

Following the end of the Brexit transition, the GDPR will be retained in domestic law as the “UK GDPR” which will continue to sit alongside the Data Protection Act 2018. Most of the rules will remain the same but businesses are still likely to need to make certain changes.

Click here to view table as PDF >

Areas to check

What do I need to do?

Done

1. Data Transfers

 

 

Data transfer arrangements outside the EEA have become more complicated to implement since the CJEU Schrems II decision in July and the subsequent publication of the draft EDPB Recommendations which require organisations to carry out transfer impact assessments and in many cases put in place additional (contractual, technical or organisational) measures to be able to transfer data lawfully. The Commission has also proposed new draft Standard Contractual Clauses which are likely to come into effect at some point in 2021.

 

EEA to UK

From 1 January, transfers from the EEA to the UK should be treated like any other transfers to a “third country.” As the EU Commission has not (yet) issued an adequacy decision in respect of the UK, this would usually require additional safeguards to be entered into or reliance on a derogation.

However, the UK-EU Trade Agreement helpfully provides that personal data can continue to flow freely from the EEA to the UK and are not to be treated as made to a third country.

This reprieve lasts until an adequacy decision is granted, or (if earlier) until 1 May 2021. If no adequacy decision has been issued by that date, then there is a further automatic extension, until 1 July 2021, unless either party objects to that.

This arrangement is conditional on the UK not amending its data protection legislation or exercising certain “designated powers” during this period. For more details on these latest developments click here.

UK to EEA

The UK Government will transitionally recognise the EEA as continuing to offer adequate protection so additional transfer mechanisms are not required for UK to EEA data flows.

UK to Rest of the World

Rules remain the same as under the EU GDPR: The UK Government will continue to recognise existing Commission adequacy decisions but transfers to non adequate third countries will require additional safeguards. The ICO currently supports the Schrems II decision and is reviewing the EDPB draft Recommendations whilst acknowledging that it will apply a “risk based and proportionate” approach to its oversight of international transfers.

 

2. BCRs

UK approved BCRs

Organisations with UK approved BCRs need to have transferred oversight  to a new EU based BCR lead supervisory authority before the end of the year, and should also prepare a set of UK BCRs (removing any reference to the EU) for the UK. This must be provided to the ICO on or before the organisation’s annual BCR update due date.

EU approved BCRs

The ICO has also recently alerted organisations with EU approved BCRS that they will also need to create a UK version of their BCRs (removing any reference to the EU) and that it would expect the EU BCR holder to create a new standalone version of their binding instrument (i.e. their IGA) for the purposes of the UK BCRs, rather than just make relevant amendments to their existing IGA. In other words, the ICO is expecting organisations to re-execute the IGA amongst all the relevant members where possible. For many organisations, there is also a requirement to notify the ICO (by 30 June 2021 at the latest) of their intention to have UK BCRs.

 

3. Records of Processing Activity

Records of Processing Activity (under Art. 30 GDPR) will need to be updated to ensure that they include details of any transfers to the UK (as a third country), where applicable.

 

4. Privacy notices/Data Protection Policies

Updates may be needed regarding the description of any “third countries” to which personal data is being transferred. References to “EU law” or the “GDPR” may also need to be amended.

 

5. Security breach response plans

Make sure that this provides for the possible notification to the ICO as well as your relevant lead EU DPA / all relevant EU DPAs (as appropriate) in the event of a personal data breach.

 

6. Template data processing clauses/existing data protection addenda

Review and update such agreements to ensure that the data transfer provisions have been Brexit and (Schrems II) proofed. Carefully check definitions of “Data Protection Legislation”.

 

7. Appointment of Representatives

UK businesses without any EU establishments but which process the data of individuals in the EU will need to consider the requirements in Art 27 GDPR regarding the appointment of an EU representative.

Similar provisions for appointing a UK representative apply under the UK GDPR. Click here for more information on representatives.

Bird & Bird Privacy Solutions can provide representative services if this is of interest/relevance to your organisation.

 

8. DPO

Confirm if your existing DPO will also cover the UK (as well as the EEA).Note that the requirements for appointing a DPO remain the same under the UK GDPR and it is possible for the same individual to fulfil both roles.

 

For further advice and assistance on any of the above areas, please contact our Privacy and Data Protection team.

More Brexit resources and information can be found here.

 

Latest insights

More Insights