A changing legal landscape was presented by Brexit, and data protection laws is one of the areas that has
required businesses to check their compliance procedures and processes to make sure they are up to date.
By Debbie Venn, Partner, DMH Stallard LLP
Impact of Brexit
Brexit impacted many areas of legal compliance and business operations, including the transfer of personal data between the UK and EU. The UK retained a plethora of EU laws (as retained EU law), including the General Data Protection Regulations 2016, which sits alongside the UK Data Protection Act 2018, and has led to the creation of the UK GDPRs. If your business purely operates using personal data within the UK, then not much has changed, but if your business transfers personal data outside of the UK or EU, then there are updates to be aware of to comply with applicable laws.
Transferring data internationally – what needs to be done?
If there is personal data about EU citizens coming into the UK, then the personal data transfer can take place without much change, as the EU has issued a decision stating that the UK’s data protection laws provide an ‘adequate’ level of protection of personal data. However, where data subjects in the UK / EU have their personal data transferred outside of the UK or EU, additional measures are required to be taken to keep that personal data secure, depending on where the personal data is being transferred to.
For example, if personal data about an individual is being transferred to the USA because a UK company has its IT systems hosted in the USA, then this would be classified as an international transfer of personal data. This would require certain measures to be put in place with the hosting provider to keep that personal data secure. Previously, the Privacy Shield had been used by US businesses (through a certification process) to show that they had sufficient security measures in place to allow a personal data transfer to be made to them without any problem.
However, a court case known as ‘Schrems II’ has meant that the Privacy Shield is no longer valid and therefore businesses need to take further measures to make sure that personal data is kept secure on transfers to countries outside the UK/EU. Businesses therefore need to review any measures they already had in place with suppliers and update these where necessary.
If a business is transferring personal data to other countries outside the UK / EU, then it needs to check whether there is an ‘adequacy decision’ for that country. If there is none in place, they need to make sure that additional measures are in place to keep personal data secure, eg, using the UK International Data Transfer Agreement or EU Standard Contractual Clauses, as applicable.
Other technical considerations
What should you be doing now?
• Update data flow maps (or create a new one).
• Make sure that you have suitable measures in place to deal with any international data transfers, including any required international data transfer agreements.
Debbie Venn, Partner,
DMH Stallard LLP