7 Key Brexit Impacts

Now the Trade & Cooperation Agreement is here, what does Brexit mean for your Privacy program?

7 Key Brexit Impacts

With the UK-EU Trade and Cooperation Agreement struck on 24 December 2020 (‘TCA‘), in this Guide we’ve updated what Brexit means to your Privacy Program.

Download the PDF: Keepabl 7 Brexit Impacts

Complementing this Guide, you can also see Privacy Kitchen’s videos on Brexit, including:

1.  Brexit & the UK GDPR

KEY DATES

The Brexit transition period ended on 31 December 2020.

As from 1 January 2021, the EU GDPR is no longer part of UK law. However, a UK version of the EU GDPR (‘UK GDPR’) will be adopted into UK law on 1 January 2021 and applies to all entities in the UK.

THE UK GDPR

The UK Government created what’s called a ‘Keeling Schedule’ showing the markups to the EU GDPR to create the UK GDPR.

You can see the process was essentially:

  • to replace ‘the EU’ and ‘Member States’ with ‘the UK’, and
  • to remove all the wording related to the EU, Member States, and the EDPB.

Here’s an example:

Think of the UK GDPR as if the EU GDPR was drafted simply to cover the UK instead of the EEA. The principles and obligations, the tests for DPOs and Representatives, etc are all the same.

2.  Which GDPR applies?

IF YOU’RE IN THE EEA

The EU GDPR will continue to apply to all EEA entities.

IF YOU’RE IN THE UK

The UK GDPR will apply to all UK entities.

The EU GDPR may also still apply to UK entities going forward as the EU GDPR will continue to apply to EEA personal data transferred to the UK prior to 1 January 2021 (‘EEA Legacy Data’) until the UK obtains an adequacy decision.

WHEREVER YOU ARE

And, under GDPR’s famous global reach:

  • the EU GDPR may apply to you in the UK,
  • the UK GDPR may apply to you in the EEA, and
  • each may apply to you wherever you are in the world, even if you’re not established in the EEA or UK.

The relevant test is in Article 3 of each GDPR, with one test where you’ve an establishment in the EEA / UK and one where you don’t.

 

3.  UK = Third Country

GOODBYE EU & EEA MEMBERSHIP

This is the big change in practice: from 1 January 2021, the UK is a ‘third country’ for the EU GDPR.

And anywhere outside the UK is a third country for the UK GDPR.

MAIN IMPACTS

Apart from the obvious jurisdictional changes we looked at above, the major Privacy effects are:

  • the definition of a ‘transfer’ is now different, and will need consideration for each GDPR,
  • many may now need a Representative in either the UK or EEA, under each GDPR, and
  • UK organisations can no longer use the ‘one-stop shop’ mechanism under GDPR and, if they breach EU GDPR, could be in line for multiple fines from the EEA, not just one – as well as any fine for breaching the UK GDPR!

However, the 24 December Trade and Cooperation Agreement (‘Brexit TCA’)  at least puts in place a mechanism for transfers of personal data from the EEA to the UK for up to 6 months, which we’ll look at now.

4.  Transfers

For both GDPRs, a transfer is when personal data is made available or transferred to an ‘international organisation’ (such as the UNHCR, International Committee of the Red Cross, etc) or any person in a ‘third country’.

TRANSFERS FROM THE EEA TO THE UK

From 1 January 2021, the UK is a third country for the EU GDPR.  However, the Brexit TCA states that ‘transmission of personal data from the [EEA] to the United Kingdom shall not be considered as transfer to a third country under Union law’ (Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom, page 406).

This lasts for the ‘specified period’ of 6 months (ie: to the end of June 2021) to allow for the UK to try and obtain an adequacy decision.  That period can be reduced to 4 months (ie: to the end of April 2021) and the whole Brexit TCA can be terminated on certain conditions.

TRANSFERS FROM THE UK TO THE EEA

The UK has made an adequacy decision regarding the EEA, so transfers from the UK to the EEA can continue on that basis.

Also, the UK adopted all of the EU’s adequacy decisions and standard contractual clauses (‘SCCs’) up to 31 December 2020, so you can continue to use all of those for UK GDPR.

A point to note: the EU released draft updated SCCs for consultation at the end of 2020.  Any resulting final version adopted by the EU will come into force after 1 January 2021 – we’ll have to see if the UK adopts them too.

5.  EU / UK Representatives & DPOs

IF YOU’RE IN THE EEA OR UK

The 28 million or so ‘active enterprises’ in the EEA and UK won’t have considered whether they needed an EU Representative as part of their compliance program.  So this is a new decision to make for you.

IF YOU’RE OUTSIDE THE EEA & THE UK

If you’re outside the EEA and the UK, you still need to revisit your EU Representative decision because of Brexit.  Perhaps you relied on a UK establishment for EU GDPR?

THE ‘3-2’ TEST

You may need none, one, or both of the Representatives depending on where you’re established…

The relevant test is in Article 3(2) of each GDPR.  In summary, the EU / UK GDPR will apply to you (and you’ll need an EU / UK Representative) if:

  • you’ve no establishment in the EEA / UK, and
  • you offer goods or services to non-legal entities in the EEA / UK or monitor the behaviour of individuals in the EEA / UK.

WHAT ABOUT DPOs?

DPOs are easier as everyone thought about them already, it’s not a new decision.  Also, DPOs don’t strictly need to be where your data subjects are: regulators even recognize they may be outside the EU.  Best to review your decision though.

6.  Your Documents

REVIEW & UPDATE

You’re probably doing Brexit-related document reviews anyway, to make sure your contracts still cover the right countries now that the EU and EEA no longer include the UK and that your jurisdiction and dispute resolution clauses are still good.

You’ll also need to review and update all your Privacy-related documents, for the same reasons as above, and to make sure they refer to the right GDPR, or GDPRs.

KEY DOCUMENTS

In particular, you’ll want to look at these key document types:

  • public-facing policies such as your website Privacy Policy and Cookie Policy
  • internal policies and procedures such as your HR Privacy Notice, your Data Subject Rights and Assessment documents, your DPIAs, Transfer policy, etc,
  • your employment agreements,
  • processor agreements with your suppliers,
  • joint controller arrangements with your partners, and
  • your customer agreements.

7.  Your Records

ACCOUNTABILITY

The UK GDPR has the same Accountability Principle as the EU GDPR, so you’ll want the same records to prove your Privacy Framework is in place and ongoing.

ARTICLE 30 RECORDS

The UK GDPR has the same Article 30, just related to the UK not the EEA.

So you should be fine with your existing (compliant) Article 30 Records, as long as you cater for the different jurisdictions for transfers etc.  Although you may need to cater for each GDPR.

The UK’s Data Protection Act does require you to add on some extra columns to your GDPR Article 30 Records, covering special categories etc, although this was already in place before Brexit.

OTHER RECORDS

As we’ve already mentioned, your transfers register may need to cater for both GDPRs.

We’ve mentioned your processing agreements and other contracts.  You’ll also need to maintain your personal data breach log for each GDPR, and data subject request log, which Keepabl would be delighted to help you with!

Privacy Kitchen’s video, Your Personal Data Inventory, Top Tips & Brexit Impact, has a great discussion on Brexit’s impact on your records.

And why not book your demo now and see how Keepabl can save you time, cost and stress on your personal data inventory, Article 30 Records, Transfers and more!

Topics:

Related Articles

Morgan Stanley SEC
Downloads
Morgan Stanley breach leads to $35 million lesson in IT asset management

By Robert Baugh, Keepabl First published 06 Oct 2022 on Thomson Reuters (PDF of Article, Subscriber login) The U.S. Securities and Exchange Commission (SEC) last month charged Morgan Stanley Smith…

Read More
Blog Downloads Privacy Kitchen
7 GDPR Traps for Groups and how to avoid them

With any group of companies – or any other group structure – there are 7 GDPR Traps we see in the market. The good news is, they’re all easily solvable.…

Read More