It can often be tricky following a messy divorce and there is often a lot of painful admin to get through. Brexit is no different and on this front. To acknowledge Data Privacy Day (who knew such a day existed), we have pulled together a quick summary of the changes and what this means to UK businesses and some of the tasks they need to undertake to protect themselves.
After a tense few years we finally have our Brexit agreement and we have exited the European Union - stage left and one of the tasks UK businesses must undertake is a review of their data privacy policies and processes as there are potentially some changes which might need to be made.
When two become one
If you are based in the UK it could mean differences to the way that you handle personal data. Before the exit, UK data processors were bound by two privacy laws: the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (UK DPA 2018). Now we have left the EU the EU GDPR will no longer apply in the UK and instead the principles of GDPR are being merged with DPA 2018 into one document: UK GDPR. This took effect on the 1st January 2021.
This means that for now the rules as they apply to UK businesses remain the same and still apply but the UK government now have sole discretion over the UK GDPR legislation and can make changes if they feel it appropriate.
So, what does this mean for your business right now?
There are probably some minor changes that you need to make to your policies. The ICO (The Information Commissioner’s Office) suggests these as the key ways to prepare:
Review your privacy notices to reflect that any reference to the “Union law” or other terminology is changed to the UK GDPR. You also need to update your privacy notice to reflect any changes to international transfers and to identify your EU representative if you are required to have one. If you have chosen to record the lawful basis or conditions for any of your processing, you need to review any references to ‘union law’ or other terminology changed in the UK GDPR.
As a reminder, if the UK GDPR applies to your processing of personal data, it doesn’t matter where in the world the individuals whose data you process are located. The regulations still apply.
Check if you need to amend your Data Protection Impact Assessments (DPIAs), perhaps if they cover international data flows that would change after exit to become restricted transfers.
If you are currently required to have a DPO (e.g. large organisations processing and monitoring large numbers of individuals) then the requirement continues after the break from the EU. You might find that you need one for UK GDPR and one for EU GDPR if you are processing information from both regions. One DPO can fulfil this role, but needs to be readily available to engage with both bodies.