Data protection in the UK for the post-Brexit period: Key actions

The UK left the EU on 31 January 2020. Since then, the legal relationship between the UK and EU has been in a period of transition, during which EU law continues to apply to the UK in full and the UK and the EU have had the opportunity to negotiate a free trade agreement and arrangements for cross-border data sharing.

The transition period will expire on 31 December 2020. The UK and EU could have agreed, before 1 July 2020, to extend the transition period beyond that date, but no agreement was reached. Any possibility of extending the transition period after 1 July 2020 will likely depend on amending the international agreements underlying the UK's withdrawal from the EU, which in principle must be ratified by national and regional governments.

With the transition period expiry date edging closer, UK organisations should start planning now for when the UK falls outside the EU data protection legal framework, especially given the increasing likelihood that the EU will not recognise the equivalence of the UK data protection law by 31 December 2020. The Information Commissioner's Office (the ICO) has issued guidance for UK organisations on the implications of this outcome and below we consider the key actions.

Appointing a European representative

If you are a UK-based controller or processor with no offices in the EU, but you offer goods or services to individuals in the EU or monitor their behaviour (in each case as further described in the GDPR), you will (with certain exceptions - see below) need to appoint an EU-based representative by the end of the transition period.

The representative must be based in an EU state where some of the individuals whose personal data you are processing are located. You may appoint an individual, company or organisation as your representative, provided they are established in the EU and will be able to represent you with respect to your obligations under the GDPR. You will need to put in place a written agreement (eg a service contract) that will allow your representative to deal with supervisory authorities or data subjects on your behalf.

You must also ensure that information about the representative is provided to data subjects, for example, in a privacy notice or other upfront information you give when collecting personal data, and easily accessible by supervisory authorities, for example, on your website.

However, you will not be required to appoint a representative if your processing is only occasional, is of low risk to data protection rights of individuals and does not involve a large-scale use of special category or criminal offences data, or if you are a public authority.

Transferring personal data from and to the UK

If you are a UK-based organisation transferring personal data to or from other countries, including the EEA, you should think about the measures you will need to implement to be able to continue carrying out or receiving such transfers lawfully at the end of the transition period.

As the UK government has stated that it intends to recognise the adequacy of data protection laws in the EEA, transfers of personal data from the UK to the EEA should be able to continue freely. You will, however, need to update your privacy notices and other documentation to make sure they are recognised as transfers made under a UK adequacy finding.

If you are transferring personal data from the UK to locations outside the EEA now, you should already have in place appropriate measures. These measures should be checked to ensure they continue to be appropriate:

• If you are currently transferring personal data outside the EEA on the basis of adequacy decisions made by the European Commission (the Commission), such as those with Canada or Japan, these should be able to continue freely, as the UK government has indicated that it intends to recognise them but will keep this under review.

• Where you are not relying on an adequacy decision by the Commission, you must put in place one of the permitted safeguards, such as standard contractual clauses or binding corporate rules, or rely on one or more derogations. The UK government plans to recognise the standard contractual clauses approved by the Commission as providing an appropriate safeguard for transfers from the UK. If you are transferring personal data from the UK within a corporate group or to a group of overseas service providers, you may consider establishing binding corporate rules. The UK government will recognise binding corporate rules authorised under EU rules before the end of the transition period as ensuring appropriate safeguards for transfers from the UK. Existing binding corporate rules approved by EU authorities must be updated to list the UK as a third country for data protection purposes. Current holders of BCRs approved by the ICO, or whose applications for BCR approval are currently with the ICO, must take steps to ensure their BCRs are also approved by an authority in the EU (see related guidance from the European Data Protection Board (the EDPB) here).

• Like their EU counterparts, UK organisations relying on the EU-US Privacy Shield to enable transfers of personal data to the US (which the UK authorities were looking to replicate post-Brexit) will need to look to alternative mechanisms in light of the European Court's decision to invalidate the Privacy Shield scheme (see our initial commentary on the judgment here).

If after the expiry of the transition period you will be receiving personal data from controllers or processors located in the EEA, you must consider whether certain measures, like standard contractual clauses, are necessary so that you may continue to receive the data. If you intend to receive transfers of personal data from non-EEA countries, you and the sender of the data will need to consider local legal requirements for data transfers if, as is likely, the UK government does not agree specific arrangements with such countries before the end of the transition period.

UK organisations should keep an eye out for codes of conduct and certification mechanisms emerging from UK and EU authorities as a further possible legal basis for personal data transfers between the UK and EEA. Guidance on reliance on such codes and mechanisms is expected shortly from the EDPB.

Identifying your regulators

If after the transition period a UK organisation will be processing personal data in a way that substantially affects individuals in the EU, it is likely the organisation will need to identify an EU lead supervisory authority for its activities in the EU in addition to the ICO having jurisdiction in the UK. The identity of that EU authority will depend on whether the organisation has establishments in one or more EU territories and the extent to which individuals in EU states where it does not have an establishment are affected by its activities.

Other Actions

There is a range of other housekeeping to be done, from updating references to EU law, UK-EU/EEA transfers and European representatives in privacy documentation, to reviewing data protection impact assessments relating to projects which not involve higher-risk data transfers, to making sure your Data Protection Officer can serve your UK and EEA establishments going forward.