Introduction
Data protection is a crucial aspect of modern society, and the UK has always been at the forefront of efforts to ensure that personal data is protected and used responsibly. The General Data Protection Regulation (GDPR) is a set of regulations introduced by the European Union (EU) in May 2018 to protect the personal data of EU citizens. However, with the UK leaving the EU, the GDPR no longer applies to the UK, and the country now has its own UK data protection law known as the Data Protection Act 2018 (DPA 2018).
The DPA 2018 is the same as the GDPR, only adjusted to accommodate domestic areas of law. It was drafted from the EU GDPR law text and revised to reflect the UK’s domestic law instead of EU law. The law governs the processing of personal data by organizations operating in the UK and sets out the rights of data subjects and the obligations of organizations.
UK General Data Protection Regulation
After Brexit, the Data Protection Act 2018 (DPA 2018) became the cornerstone of the UK’s data protection regime. The DPA 2018 incorporates the EU GDPR into UK law and provides additional provisions specific to the UK. The UK-GDPR, also known as the UK General Data Protection Regulation, sets out the rules and regulations for processing personal data within the UK. It applies to all UK businesses, regardless of size, that process personal data. This includes data processing activities by public authorities, intelligence services, and international organizations operating within the UK. The UK-GDPR applies to data processing activities relating to EU data subjects and UK data subjects, regardless of whether the data is processed inside or outside the EU.
The UK-GDPR requires UK businesses to implement appropriate technical and organizational measures to ensure the security of personal data, including efforts to prevent unauthorized access, alteration, disclosure, or destruction of personal data. Additionally, UK businesses must appoint a data protection officer (DPO) if they are a public authority, carry out large-scale systematic monitoring of data subjects, or process special categories of personal data.
The impact of Brexit on UK data protection
The Brexit withdrawal agreement provided a transition period until December 31st, 2020, for the UK to prepare for a new relationship with the EU. During this period, the EU GDPR continued to apply to the UK. As of January 1st, 2021, the UK is no longer part of the EU and is considered a third country. The UK Data Protection Act 2018, which incorporates the EU GDPR, has been retained as part of UK law. The UK government has confirmed that data protection principles will remain unchanged, and UK businesses will continue to be subject to the same data protection standards as before.
However, there are some implications for data transfers between the UK and the EU. The EU considers the UK to have an equivalent level of data protection to the EU. As a result, personal data can continue to flow between the UK and EU without additional safeguards. However, UK businesses will no longer have direct access to the EU single market and may need to take additional steps to comply with EU data protection laws. Additionally, UK businesses will no longer be able to rely on EU adequacy decisions, which allow unrestricted personal data flows to countries outside the EU that are deemed to have an equivalent level of data protection. Instead, UK businesses will need to rely on alternative mechanisms, such as standard contractual clauses or binding corporate rules, to ensure that data transfers from the EU to the UK comply with EU data protection regulations.
What are data subjects, and what rights do they have?
The term “data subject” refers to an individual who is the subject of personal data being processed by a controller or processor. The rights of data subjects under GDPR include the right to:
Access
Data subjects have the right to request access to their personal data and be informed of how their data is used.
Rectification
Data subjects have the right to have their personal data rectified if it is inaccurate or incomplete.
Erasure
Data subjects have the right to request the erasure of their personal data in certain circumstances, such as if it is no longer necessary for the purpose for which it was collected.
Restrict Processing
Data subjects have the right to restrict the processing of their data in certain circumstances, such as if they dispute the accuracy of the data.
Data Portability
Data subjects have the right to receive their data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Objection
Data subjects have the right to object to processing their personal data in certain circumstances, such as for direct marketing purposes.
Automated Decision-Making
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
How to stay compliant with GDPR in the UK post-Brexit era
With the UK officially leaving the EU and the GDPR no longer applies, UK businesses must understand and comply with the UK’s domestic data protection legislation, the Data Protection Act 2018. Here are some steps UK organizations can take to stay compliant:
Appoint a Data Protection Officer (DPO) if required. The DPO is responsible for ensuring the organization complies with data protection laws and regulations, including the DPA 2018.
Review data processing activities. Organizations should regularly review and assess their data processing activities to ensure they comply with the DPA 2018.
Implement appropriate safeguards for data transfers. The DPA 2018 requires organizations to have proper safeguards to transfer personal data internationally. This includes standard contractual clauses, binding corporate rules, and other appropriate measures.
Train employees. It’s vital for employees to understand their obligations under the DPA 2018 and to know how to handle personal data securely. Organizations should provide regular training and education to their staff.
Regularly monitor compliance. Regular monitoring and reporting of compliance with the DPA 2018 can help organizations identify and address any potential issues before they become significant problems.
Binding Corporate Rules: A guide for UK businesses
Binding Corporate Rules (BCRs) are a set of legally binding corporate policies and procedures that allow multinational companies to transfer personal data from the EU to the UK and other third countries in a way that complies with EU data protection laws. BCRs are designed to provide companies with a framework for transferring personal data between different affiliates within the same organization and can be used to demonstrate that appropriate safeguards are in place to protect EU data subjects’ rights.
For UK businesses operating in the EU, BCRs can effectively manage the risks associated with international data transfers, as they provide an additional layer of protection over and above standard contractual clauses. To obtain approval for BCRs, companies must demonstrate that their data protection policies and practices align with EU data protection laws and regulations and that they have appropriate measures to manage any data protection risks. The European Data Protection Board (EDPB) is responsible for assessing and approving BCRs, and the process of obtaining approval can take several months. To succeed, companies must provide a comprehensive and well-structured application that demonstrates the robustness of their data protection policies and practices and shows how they will be implemented.
The European Data Protection Board and its impact on UK GDPR compliance
The EDPB is an independent body that provides guidance and ensures consistency in applying the General Data Protection Regulation (GDPR) across the European Union (EU) Member States. It was established in accordance with the GDPR to replace the former Article 29 Working Party. The EDPB is responsible for guiding businesses and data protection authorities on crucial issues related to GDPR compliance and helping ensure a consistent approach to data protection across the EU.
Despite the UK’s departure from the EU, the EDPB still impacts UK businesses and their obligations under the UK GDPR. The EDPB provides guidance and advice on various topics related to data protection, such as transfers of personal data, the processing of personal data for law enforcement purposes, and data protection impact assessments. This guidance can help UK businesses understand their obligations under the UK GDPR and ensure that they comply with the UK’s data protection laws. Moreover, the EDPB can also make decisions on matters related to GDPR compliance, which are binding on all EU Member States, including the UK. This means that UK businesses may still need to take into account the decisions made by the EDPB in their compliance with the UK GDPR.
Transferring personal data internationally
International transfers of personal data are subject to special rules and restrictions under the EU GDPR and the UK Data Protection Act 2018 (DPA 2018). UK businesses must take appropriate steps when transferring personal data across borders to ensure compliance with these regulations. One key aspect of international data transfers under the GDPR and DPA 2018 is ensuring that the data is adequately protected. This means that the data must be subject to appropriate safeguards, such as standard contractual clauses, binding corporate rules, or an adequacy decision from the European Commission, which certifies that the recipient country has adequate data protection laws.
Another important aspect of international data transfers is ensuring that the UK business has a clear understanding of the data protection laws in the recipient country. This includes understanding the rights of data subjects and the obligations of the business under the relevant data protection regime. It is also essential to consider the potential impact of Brexit on international data transfers. During the transition period, the UK remained part of the European Economic Area (EEA) and therefore continued to comply with EU data protection laws. However, as of January 1st, 2021, the UK is no longer part of the EEA and has its separate data protection regime.
To ensure continued compliance with international data protection laws, UK businesses must remain vigilant and keep abreast of changes to both EU and UK data protection laws. This includes regularly reviewing and updating their data protection policies and procedures and seeking advice from experts as necessary.
How to send personal data from the UK to the EU
With Brexit, the UK is no longer a member of the European Union, but it is still vital for UK businesses to be able to send personal data to the EU. So, UK businesses must comply with the GDPR’s requirements for international data transfers. One option for UK businesses is to use Binding Corporate Rules (BCRs). This ensures that data transferred between the UK and the EU is protected by the same high standards, regardless of where it is processed.
Another option is to use Standard Contractual Clauses (SCCs). SCCs are sets of clauses approved by the European Commission and provide appropriate safeguards for transferring personal data from the EU to third countries. UK businesses can incorporate these clauses into their contracts with EU companies to ensure that the GDPR’s requirements protect the data transferred between the two. Finally, the UK may be deemed to have adequate data protection laws by the European Commission, allowing unrestricted personal data flow between the UK and the EU. This decision would be based on the UK’s data protection regime and the level of protection it provides to EU data subjects.
Consequences of non-compliance
Failing to comply with GDPR can result in significant financial penalties, reputational damage, and loss of trust from customers. The Information Commissioner’s Office (ICO) is the regulatory authority responsible for enforcing the UK’s data protection legislation. It can impose fines of up to £18 million or 4% of a company’s annual global turnover, whichever is higher.
Organizations can also face legal action from individuals whose data has been misused or subject to a breach. Data subjects have the right to compensation for any damages suffered as a result of non-compliance. Additionally, non-compliance can lead to the suspension of data processing activities, resulting in operational disruption and loss of revenue. It can also impact an organization’s ability to transfer personal data to other countries, hindering international growth and business opportunities.
Conclusion
UK businesses must now comply with the UK’s own data protection regime post-Brexit, separate from the EU’s GDPR. Failure to do so can result in fines and other penalties. It’s essential to understand data subjects’ rights, ensure appropriate safeguards are in place for international data transfers, and comply with the regulations set by the European Data Protection Board. The Information Commissioner’s Office (ICO) is the lead supervisory authority in the UK, and businesses should seek guidance to stay compliant. In order to send personal data from the UK to the EU, UK businesses should consider using binding corporate rules and standard contractual clauses or ensuring that the receiving country has an adequate level of protection as determined by EU adequacy decisions. Staying compliant with data protection laws will help UK businesses continue to operate seamlessly in a post-Brexit world.