After 30th December 2020, the Brexit transition period will end. This has implications for the transfer of personally identifiable information (PII) out of the EU/EEA to the UK. To get around this the UK plans to reach an adequacy agreement with the EU so that things can continue pretty much as they are.
By incorporating the EU’s GDPR legislation into UK law with the Data Protection Act 2018 (DPA 2018) the UK’s legislation could align quite well with the other EU nations. This means the UK has a reasonable chance of getting the adequacy decision, but it is not guaranteed and may not be in place for the end of December. The lack of an adequacy decision must be catered for and DPO’s need to act now to be prepared for it.
Regardless of the adequacy decision, the UK’s data protection framework will continue to apply meaning any organisation that receives individuals’ personal information from an EU/EEA company to provide goods or services will need to ensure GDPR compliance. This includes data transfers from EU/EEA partners as well.
Example of a personal data transfer from an EU/EEA partner:
- A UK company receives customer information from an EU/EEA company (see which countries this applies to), such as names, email addresses, physical addresses of customers, suppliers, or partners to provide goods or services
- This can include internet protocol (IP) addresses or human resources data, such as staff working hours and payroll details
What your business will need to do from 1st January 2021
Firstly, you should ensure that your business is meeting ICO’s expectations in relation to data protection accountability. A self-assessment is provided on the ICO website to help determine your current level of compliance and to identify any opportunities for improvements.
Secondly, if your business receives or plans to receive personal data from the EU/EEA, in the absence of an adequacy decision you will need to put in place Standard Contractual Clauses (SCCs) in the contracts with data processors or joint data controllers to be within legal data requirements.
The ICO offers detailed guidance on what actions may be necessary and provides a tool to help build your SCCs. You can find the tools here: Controller to controller contract | Controller to processor contact
Additional steps to take
There may be additional steps your business or organisation needs to take in order to prepare for January 2021. To understand what changes will affect your business, you can use the transition tool on gov.uk/transition and get a personalised report with actions you should take.
Of course, the Crew is here to assist with your DPA and GDPR compliance needs to get your business or organisation ready for January. Our experienced data protection practitioners have helped both large and small organisation achieve their compliance goals.
Learn more about our services, contact us for questions or request a quote.