Loading...

The Brexit transition period has ended – now what? | Baker Tilly

Data security man looking at data analytics screen

Article

The Brexit transition period has ended – now what?

Jan. 26, 2021 · Authored by Mike Vanderbilt

Privacy regulations for countries operating in the EU can quickly become complex. This article is the second part in a series that will examine how your business can prepare for these changes, for more information - read part one.

In a year that saw more breaking news than any year should, the end of the Brexit transition period might have fallen off the radar for many organizations. It seems like an eternity ago when the United Kingdom (UK) voted to formally leave the European Union (EU); for those that have been focused on other issues, let’s remember that after four years of negotiations the UK left the EU on Jan. 31, 2020, with a transition period that ended on Dec. 31, 2020. Among of a host of issues arising from the UK’s departure from the Union were questions regarding cross-border transfers of personal data under the General Data Protection Regulation (GDPR). Under the Withdrawal Agreement, the UK would become a ‘third country’ after the transition period ended unless an adequacy decision was reached. To the relief of many organizations, a temporary reprieve in the form of the Trade and Cooperation Agreement passed shortly before the deadline.

The EU-UK Trade and Cooperation Agreement (TCA), agreed to only several days prior to the transition period ending, allows for a period of no more than six months for the European Commission (EC) to issue an adequacy decision regarding the UK. During that period, or until adequacy is granted or denied, the UK will benefit from temporary adequacy.

Mike Vanderbilt

Mike Vanderbilt

Director

Related sections

Abstract of ocean with waves

Next up

Alternative service delivery: options to effectively respond to COVID-19 and develop long-term strategy

Review your data flows: Make sure you know where your data comes from and where it goes, specifically with regard to personal data that originates from either the EU or the UK.
Update your records of processing documentation (RoPA): An organization’s RoPA should capture all the details of your personal data processing activities including what the processing activity is, what data is processed, where the data comes from, where it goes to, what the transfer mechanism is, etc. Ensure this documentation is correct, up to date and meets the requirements of both the EU GDPR and the UK GDPR (as appropriate).
Designate a lead supervisory authority (LSA): If you previously designated the ICO as your LSA, and you process EU personal data, you may need to designate a LSA in the EU.
Appoint a data protection officer (DPO): While there should not be a requirement to appoint separate DPOs (one in the UK and one in the EU), organization’s do need to evaluate the requirements of both laws to make sure they are meeting both requirements (if applicable).
Appoint an EU/UK representative: With Brexit, your UK based representative may not fulfill your EU representation needs under the EU GDPR. However, simply moving your UK-based representative to the EU may cause problems with UK GDPR compliance. Perform an evaluation of your processing activities to determine where you are required to establish representation.
Update your incident response plan: As mentioned earlier, the ICO is no longer an LSA, so if your incident response plan called for notifying the ICO in the event of an EU personal data incident, the plan will need to be updated. In addition, if an incident impacts individuals of both the UK and an EU member state(s), you may be required to notify both the UK and the EU separately.
Update privacy policies and notices: Externally facing policies, such as your website privacy policy, provide a convenient mechanism for evaluating an organizations compliance with the various privacy regulations. If your organization is subject to the UK GDPR your policy needs to reflect this.
Update your data processing agreements/contracts: While this needs to be done, it is important to remember that we are awaiting approval of new standard contractual clauses (SCCs) , which will hopefully be available soon. Perform an evaluation to determine if it is more important to get contracts/data processing agreements signed now (only to have to replace them in the coming weeks or months) or to focus efforts on other areas, such as evaluating the need for additional safeguards, and wait for the release of the updated SCCs. 2020 was a year that saw many data privacy issues from Brexit, to the Schrems II decision and the invalidation of Privacy Shield, to California’s Consumer Privacy Rights Act (CPRA), to the increased use of facial recognition, and massive collection and use of tracking information for contact tracing to help control the spread of COVID-19. As more individuals become interested in how their personal data is being captured and used, and more organizations are held accountable for their data processing practices – there is little doubt that data privacy will continue to be an important topic. In 2021 and beyond, we are hopeful that organizations and governments continue down the path to ensure personal data is used fairly, lawfully and transparently.