The UK has left the EU and the transition period will end 31 December 2020. This will affect the movement of goods, services and people to and from the UK, including data.
If your business or organisation receives personal data from the EU/EEA, there are steps you need to take now to ensure that you are ready for the new rules from 1 January 2021.
What is personal data?
Broadly speaking, personal data is any information that can be used to identify a living person. This type of information is regularly used in the daily running of most businesses and organisations.
How could this apply to me?
You may receive a personal data transfer from an EU partner. For example:
- Your company receives customer information from an EU company, such as names and addresses.
- You manage your HR data, such as staff working hours and payroll details, via partners based in the EU.
What do I need to do?
The EU is currently undertaking a data adequacy assessment of the UK. It’s expected that this assessment will be completed by 31 December 2020. What you will need to do depends on the outcome of this assessment.
What is data adequacy?
Data adequacy is a status granted to a country which is outside the European Economic Area (EEA). It indicates that the country provides a level of personal data protection comparable to that in European law, allowing the flow of data to continue.
If granted to the UK, data adequacy would allow the free flow of personal data from the EU/EEA to the UK to continue without any further action by organisations.
There are three possible outcomes to the assessment:
The assessment is completed by 31 December 2020 and adequacy is granted.
UK businesses would need to take no further steps to ensure data protection apart from those they are bound to under the Data Protection Act of 2018. You can find out more about data protection with our guide.
The EU’s assessment is not completed by 31 December 2020.
You would be required to put steps in place to ensure you can lawfully receive personal data from the EU/EEA from 1 January 2021. For most businesses, this will take the form of Standard Contractual Clauses (SCC).
The EU does not grant data adequacy to the UK.
The EU can choose to grant partial adequacy which allows certain sectors or registered companies to transfer data, or to not grant adequacy at all. Although unlikely to happen, this outcome would result in the requirement for appropriate safeguards, such as the use of SCCs.
What is an SCC?
A Standard Contractual Clause (SCC) is a set of terms and conditions to help to protect personal data when it leaves the EEA and is no longer protected by GDPR.
How do I prepare one?
The ICO has an interactive tool which will help you decide if an SCC is appropriate for your business. It allows you to build and download an SCC for your transfer.
Does this mean that GDPR no longer applies?
No. GDPR will be retained in domestic law at the end of the transition period, so you’ll still need to stay on top of GDPR compliance. However, the UK will have the independence to keep the framework under review.
Where can I go for further guidance?
FSB members have access to an online library of over 1,000 legal documents, factsheets and templates via the FSB Legal Hub, as well as a 24/7 legal advice line.