Recent weeks have seen several changes in the world of data but how do they affect businesses and what, if anything, should you be doing?
GDPR and Brexit
Strictly speaking, following Brexit, the GDPR no longer has direct effect in the UK, however the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 effectively introduced the ‘UK GDPR’ into national law, supported by the Data Protection Act 2018. In practice this means businesses will still need to comply with the GDPR’s requirements albeit under a different regulation.
The UK-EU Trade and Cooperation Agreement (TCA) signed in December stated that nothing will change immediately in terms of data protection following the end of the transition period. For a period of at least four months (which will automatically be extended to six months providing neither the UK or EU objects), the UK will not be treated as a third-country in terms of data processing. Data can therefore still move freely between the UK and EU, however businesses should note the June date and keep abreast of potential changes which may need to be implemented. Although it is hoped that the EU will accept UK data protection laws, by giving the UK an ‘Adequacy Decision’, this is not guaranteed and there is potential that alternative mechanisms may be needed in the future to allow data to flow freely.
New regulations now also apply where a business is UK based and doesn’t have an EU/EEA base but offers services to or monitors the behaviour of individuals in the EEA. These businesses may need to have an EEA representative to act on their behalf in relation to EU GDPR compliance. They must be based in a country where individuals are based whose data you are processing and you have to provide the relevant regulator with details of who your representative is.
New ICO data sharing code of practice
The Information commissioners Office (ICO) published a new data sharing code before Christmas which, when approved by Parliament, will have implications on compliance with data protection law.
The Data Sharing Code of Practice will become a statutory code of practice and will offer guidance on sharing personal data.
The ICO recognises the benefit of sharing data, particularly during the current COVID-19 pandemic where sharing information has been vital in the efforts to support vulnerable people. A good example of this was the sharing of data between public authorities and supermarkets regarding people who are shielding to allow prioritisation of food deliveries.
The aim of the guidelines is to ensure that data is shared fairly, lawfully and in a secure way and the code is likely to come into force within the next 2 months.
Actions to consider:
- Have you appointed an EEA represented and amended your website and policies to reflect this?
- Have you amended any references to GDPR on your website and in your documents?
- Do you carry out Privacy Impact Assessments when sharing data?
- Do you have the appropriate data sharing agreements in place between relevant parties to protect any data you share?
If you would like to discuss what measures your business should be considering to protect the way you use, share or move personal data or any other queries relating to GDPR and data protection, please contact Matt Jackson (01242 248240 or firstname.lastname@example.org) or another member of the BPE Commercial team.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.