If your business or organisation receives personal data from the EU/EEA, there are steps you need to take now to ensure that you are ready for the new rules from 1 January 2021.
What is personal data?
Broadly speaking, personal data is any information that can be used to identify a living person. This type of information is regularly used in the daily running of most businesses and organisations.
How could this apply to me?
You may receive a personal data transfer from an EEA partner. For example:
- Your company receives customer information from an EEA company, such as names and addresses.
- You manage your HR data, such as staff working hours and payroll details, via partners based in the EEA.
What do I need to do?
The ICO have a dedicated hub to help small businesses ensure they stay data compliant when sending or receiving data from EEA countries.
The EU is currently undertaking a data adequacy assessment of the UK. What you will need to do depends on the outcome of this assessment.
What is data adequacy?
Data adequacy is a status granted to a country which is outside the European Economic Area (EEA). It indicates that the country provides a level of personal data protection comparable to that in European law, allowing the flow of data to continue.
If granted to the UK, data adequacy would allow the free flow of personal data from the EU/EEA to the UK to continue without any further action by organisations.
There are two possible outcomes to the assessment:
The assessment is completed by and adequacy is granted.
UK businesses would need to take no further steps to ensure data protection apart from those they are bound to under the Data Protection Act of 2018. You can find out more about data protection with our guide.
The EU does not grant data adequacy to the UK.
The EU can choose to grant partial adequacy which allows certain sectors or registered companies to transfer data, or to not grant adequacy at all. Although unlikely to happen, this outcome would result in the requirement for appropriate safeguards, such as the use of SCCs.
What is happening at the moment?
If you transfer data to the EEA, you need take no further action at this point in time.
If you receive personal data from an organisation in the EEA it must follow EU data protection laws. For most businesses, this will mean the use of Standard Contractual Clauses (SCC).
What is an SCC?
A Standard Contractual Clause (SCC) is a set of terms and conditions to help to protect personal data when it leaves the EEA and is no longer protected by GDPR.
How do I prepare one?
The ICO has an interactive tool which will help you decide if an SCC is appropriate for your business. It allows you to build and download an SCC for your transfer.
Does this mean that GDPR no longer applies?
No. GDPR will be retained in domestic law at the end of the transition period, so you’ll still need to stay on top of GDPR compliance. However, the UK will have the independence to keep the framework under review.
Where can I go for further guidance?
FSB members have access to an online library of over 1,000 legal documents, factsheets and templates via the FSB Legal Hub, as well as a 24/7 legal advice line.