When the transition period ends and the UK’s exit from the European Union is complete, businesses with customers in Europe will need to exercise care to keep on the right side of data protection legislation.
Under the European Union’s General Data Protection Regulation – or GDPR as it is known – there are strict requirements for businesses processing personally identifiable information about individuals who live within the EEA, which comprises the countries within the EU plus Iceland, Liechtenstein and Norway.
Any UK business managing personal data relating to EEA citizens after 31 December 2020 will continue to be bound by the provisions of Article 27 of GDPR.
Even though GDPR will be retained in domestic law at the end of the transition period, we will no longer be part of the EU, so if you handle data relating to citizens in the EEA and your organisation does not have an office or representation within Europe, then you will have to appoint someone in the EEA who offers services as a GDPR representative to act on your behalf with individuals and data protection authorities in the EEA.
It’s most likely to affect small to medium sized businesses, as larger organisations will probably already have a base somewhere in the EU. You may have gone through all the hoops to manage compliance when GDPR was introduced in 2018, but you must check the position now, to be sure you are going to be compliant from January onwards. You also need to make sure your privacy information and documentation is all up to date and reflects any changes that may be required, such as around European-based representation.
If any such breaches came to light, there is the potential of high fines from the Information Commissioner of up to Euro 10m or 2% of global revenues so it’s worth getting everything checked by a specialist.
The Information Commissioner’s Office, or ICO, is the independent supervisory body for the UK’s data protection legislation and will continue in that role post-transition. The ICO website includes guidance for data processors on managing the departure from the EU, with an interactive toolkit to help organisations understand what they need to do to maintain a free flow of data to the UK from the EU.
And the guidance highlights that it’s not just organisations who are dealing with European citizens that need to know where they stand. Post-transition, the provisions of GDPR will be incorporated directly into UK law, to sit alongside the Data Protection Act 2018. Any organisation operating in the UK and processing data regarding UK residents must continue to comply with all related legislation.
For further information on complying with GDPR please contact David Morrison on 01689 887838 or email firstname.lastname@example.org