Now that the UK has left the European Union, what will the implications be for the GDPR? Will anything change? We answer your most frequently asked questions.
1. Should UK businesses worry about GDPR post Brexit?
The UK government has signalled its intention to enshrine many of the existing GDPR provisions into UK law, to sit with the Data Protection Act 2018. The planned changes are available in the Keeling Schedule.
2. What will stay the same?
Essentially all the current data protection principles, obligations and individual rights will stay the same.
3. Will the ICO still exist?
Yes. The ICO will still be the data supervisory authority for the UK, but not for EU activities that fall under EU GDPR. However, the ICO plans to continue working closely with EU supervisory authorities now that the UK has left the EU.
4. What changes are expected in 2021?
As you'd expect, one of the biggest changes is likely to be the requirements on transfers of personal information between the UK and EEA.
The changes affect companies that continue to process the personal information of UK and EEA citizens, eg by providing goods and services or monitoring their behaviour, beyond the exit date.
The UK GDPR will apply to controllers and processors outside the UK who process the personal information of UK citizens, whereas the EU GDPR will cover EEA citizens' personal information.
5. What if you are UK-based but process EEA citizens' personal information?
The EU GDPR will continue to apply after the exit date. You will need to make preparations to ensure your data processing is lawful. There are four main issues to consider:
- International data flows - consider whether there is an adequacy decision, appropriate safeguards (Standard Contractual Clauses or binding corporate rules), or an exception you can rely on.
- EU representatives - if you intend processing EEA citizens' personal information after the exit date and you don't have a base or office within the EU or EEA, then you'll need to appoint an EU representative (eg a law firm, consultancy or company) where those individuals are based to represent you, and also provide their information to data subjects (eg via a privacy notice).
- EU regulatory oversight of cross-border processing - if you currently engage in cross-border processing and benefit from the One-Stop Shop arrangement with the ICO as your lead authority, be aware that you may no longer be able to rely on this after the exit date. You will have to deal with both the ICO and an EEA lead supervisory authority. Consult the EDPB guidance for more advice on identifying lead authorities. In the event of a data breach, you may also be fined by UK and EEA authorities.
- Documentation and accountability updates - review your privacy notices, DPIAs and related documentation to ensure it includes references to EU and UK law, it identifies your EU representative and covers future transfers. Make arrangements so your Data Protection Officer can be contacted by all.
6. How will Brexit affect the PECR, EIR and FOIA?
The Privacy and Electronic Communications Regulations (PECR) - covering unsolicited marketing calls, electronic communications and cookies - and the Environmental Information Regulations (EIR) are European laws that have been enshrined in UK law. As such they continue to apply after we left the European Union.
The Freedom of Information Act (FOIA) is part of UK law and remains unchanged.
UK businesses will still be expected to comply with the key principles, obligations and rights under the GDPR, and therefore should be ready to ensure continued compliance.
For the latest information and guidance, keep checking back to the ICO website.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!