With the UK-EU Trade and Cooperation Agreement struck on 24 December 2020 (‘TCA‘), in this Guide we’ve updated what Brexit means to your Privacy Program.
Complementing this Guide, you can also see Privacy Kitchen’s videos on Brexit, including:
The Brexit transition period ended on 31 December 2020.
As from 1 January 2021, the EU GDPR is no longer part of UK law. However, a UK version of the EU GDPR (‘UK GDPR’) will be adopted into UK law on 1 January 2021 and applies to all entities in the UK.
The UK Government created what’s called a ‘Keeling Schedule’ showing the markups to the EU GDPR to create the UK GDPR.
You can see the process was essentially:
Here’s an example:
Think of the UK GDPR as if the EU GDPR was drafted simply to cover the UK instead of the EEA. The principles and obligations, the tests for DPOs and Representatives, etc are all the same.
The EU GDPR will continue to apply to all EEA entities.
The UK GDPR will apply to all UK entities.
The EU GDPR may also still apply to UK entities going forward as the EU GDPR will continue to apply to EEA personal data transferred to the UK prior to 1 January 2021 (‘EEA Legacy Data’) until the UK obtains an adequacy decision.
And, under GDPR’s famous global reach:
The relevant test is in Article 3 of each GDPR, with one test where you’ve an establishment in the EEA / UK and one where you don’t.
This is the big change in practice: from 1 January 2021, the UK is a ‘third country’ for the EU GDPR.
And anywhere outside the UK is a third country for the UK GDPR.
Apart from the obvious jurisdictional changes we looked at above, the major Privacy effects are:
However, the 24 December Trade and Cooperation Agreement (‘Brexit TCA’) at least puts in place a mechanism for transfers of personal data from the EEA to the UK for up to 6 months, which we’ll look at now.
For both GDPRs, a transfer is when personal data is made available or transferred to an ‘international organisation’ (such as the UNHCR, International Committee of the Red Cross, etc) or any person in a ‘third country’.
From 1 January 2021, the UK is a third country for the EU GDPR. However, the Brexit TCA states that ‘transmission of personal data from the [EEA] to the United Kingdom shall not be considered as transfer to a third country under Union law’ (Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom, page 406).
This lasts for the ‘specified period’ of 6 months (ie: to the end of June 2021) to allow for the UK to try and obtain an adequacy decision. That period can be reduced to 4 months (ie: to the end of April 2021) and the whole Brexit TCA can be terminated on certain conditions.
The UK has made an adequacy decision regarding the EEA, so transfers from the UK to the EEA can continue on that basis.
Also, the UK adopted all of the EU’s adequacy decisions and standard contractual clauses (‘SCCs’) up to 31 December 2020, so you can continue to use all of those for UK GDPR.
A point to note: the EU released draft updated SCCs for consultation at the end of 2020. Any resulting final version adopted by the EU will come into force after 1 January 2021 – we’ll have to see if the UK adopts them too.
The 28 million or so ‘active enterprises’ in the EEA and UK won’t have considered whether they needed an EU Representative as part of their compliance program. So this is a new decision to make for you.
If you’re outside the EEA and the UK, you still need to revisit your EU Representative decision because of Brexit. Perhaps you relied on a UK establishment for EU GDPR?
You may need none, one, or both of the Representatives depending on where you’re established…
The relevant test is in Article 3(2) of each GDPR. In summary, the EU / UK GDPR will apply to you (and you’ll need an EU / UK Representative) if:
DPOs are easier as everyone thought about them already, it’s not a new decision. Also, DPOs don’t strictly need to be where your data subjects are: regulators even recognize they may be outside the EU. Best to review your decision though.
You’re probably doing Brexit-related document reviews anyway, to make sure your contracts still cover the right countries now that the EU and EEA no longer include the UK and that your jurisdiction and dispute resolution clauses are still good.
You’ll also need to review and update all your Privacy-related documents, for the same reasons as above, and to make sure they refer to the right GDPR, or GDPRs.
In particular, you’ll want to look at these key document types:
The UK GDPR has the same Accountability Principle as the EU GDPR, so you’ll want the same records to prove your Privacy Framework is in place and ongoing.
The UK GDPR has the same Article 30, just related to the UK not the EEA.
So you should be fine with your existing (compliant) Article 30 Records, as long as you cater for the different jurisdictions for transfers etc. Although you may need to cater for each GDPR.
The UK’s Data Protection Act does require you to add on some extra columns to your GDPR Article 30 Records, covering special categories etc, although this was already in place before Brexit.
As we’ve already mentioned, your transfers register may need to cater for both GDPRs.
We’ve mentioned your processing agreements and other contracts. You’ll also need to maintain your personal data breach log for each GDPR, and data subject request log, which Keepabl would be delighted to help you with!
Privacy Kitchen’s video, Your Personal Data Inventory, Top Tips & Brexit Impact, has a great discussion on Brexit’s impact on your records.
We know you’ll need to share some details about Keepabl’s SaaS solution with your colleagues and advisors from time to time. You can always send them to our website –…