If you receive personal data from, or transfer personal data to, other countries (including the EEA) there are certain things your business needs to consider, Alex Zachary, corporate and commercial lawyer, B P Collins advises.
In relation to data protection, now that the Brexit transitional period has ended, the UK version of the General Data Protection Regulation has replaced the EU GDPR rules, but all the main principles, obligations and rights remain essentially the same. Therefore, if you are a UK business that has complied with the GDPR rules up to now and do not process any personal data from the EEA or send any personal data to the EEA, then you should still be data protection compliant.
If you do receive personal data from, or transfer personal data to, other countries (including the EEA) there are certain things your business needs to consider.
The first thing is to understand your international flows of personal data. Key transfers to identify will be from the EEA to the UK.
EEA controllers or processors of personal data will be able to transfer that data to the UK without any further safeguards being required, if and when the European Commission issues an adequacy decision for the UK. The UK is currently going through an adequacy assessment and whilst a draft adequacy decision has been published, that is only the first step in the process and the approval of the EU countries and final adoption by the European Commission is still awaited.
At the time of writing this article, data can still flow freely from the EEA to the UK because the EU has agreed to delay transfer restrictions until the end of April 2021, which can, but may not, be extended to the end of June – this is known as the bridge.
If the bridge ends without the EU issuing an adequacy decision in respect of the UK, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions so businesses will need to put in place additional safeguards, such as putting in place the EC’s standard contractual clauses with each sender or by implementing internal binding corporate rules. Businesses which import significant personal data from the EEA may therefore wish to consider putting appropriate safeguards in place to comply with the EU rules by the end of April to ensure that they can continue to receive data transfers from the EEA lawfully in that scenario.
Additionally, if you are based in the UK and do not have a base in any EU or EEA state, but you either offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA, then you still need to comply with the EU GDPR rules for that processing and the EU rules require you to appoint a representative in the EEA. Your representative could be a law firm, consultancy or other service company and they need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located. You need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance and to deal with any supervisory authorities or data subjects about that. You will also need to give details of your representative to the EEA-based individuals whose personal data you are processing. That could be done by including their details in your privacy notice or in the information you give them at the point when you collect their data.
In terms of outward transfers of personal data from the UK, the UK Government has already stated that transfers of data from the UK to the EEA are permitted, but will keep that under review.
You may also wish to consider, even if you do not transfer data to and from the EEA, whether you ought to have a gap analysis carried out to assess how compliant your business currently is with the applicable data protection rules and whether there are any gaps that need to be filled. The GDPR rules were rushed into force in May 2018 and some businesses may not have had the time to consider the changes properly or to implement fully compliant policies and processes.
The corporate and commercial team at B P Collins, can help you to assess your compliance with the rules and plug any gaps, including updating your policies and procedures and advising you on how to put in place internal structures to help ensure that everybody in your organisation understands the rules and their role in ensuring compliance with them.
We can also advise you on adopting appropriate safeguards to ensure that your international data transfers can continue whatever the outcome of the EU’s adequacy decision.