Data Protection after Brexit

brexit image

Data protection after Brexit

If your UK business receives personal data from the European Union (EU)/European Economic Area (EEA), there are certain things you need to do to ensure that you are ready for the new rules which apply from 1st January 2021.

Personal data

In general, personal data is any information that can be used to identify a living person and you are likely to use this sort of information in the running of your business.

You may receive a personal data transfer from an EU/EEA partner. This could be for a number of reasons but the most common usually involves your business receiving customer information from an EEA company, such as names and addresses, delivery details, IP addresses so that you can provide goods or services.

Does my business need to do anything?

Data adequacy is a status granted to a country that is outside the European Economic Area (EEA). It indicates that the country provides a level of personal data protection comparable to that in European law, allowing the flow of data to continue.

It was announced by the EU on 28 June 2021 that adequacy decisions have been approved for the UK. This means that UK businesses can continue with their current practices in regard to receiving data from the EU and no further changes are needed to the way you send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. All 12 of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK

Data protection and GDPR

Data protection is about ensuring people can trust you to use their data fairly and responsibly.

The UK’s data protection regime is set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.

The Information Commissioner (ICO) is the UK’s independent supervisory authority on data protection. It offers advice and guidance, promotes good practice, carries out audits, considers complaints, monitors compliance and takes enforcement action where appropriate.

Does this mean that GDPR no longer applies?

No. GDPR has been retained in UK domestic law at the end of the transition period, so you’ll still need to maintain GDPR compliance. However, the UK will have the independence to keep the framework under review.

Importance of Cyber Security

Aside from the normal precautions and care taken over data security,effective data protection relies on businesses adequately protecting their IT systems from malicious interference. In implementing the GDPR standards, the Data Protection Act requires businesses which handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. For many organisations such measures include effective cyber security controls and the importance of these controls cannot be stressed enough.

Additional Resources

You can obtain further and more detailed guidance using the links below

Information Commissioner’s Office: Interactive tool for selecting and building SCCs

GOV.UK: Using personal data in your business or other organisation after the transition period

Full guidance on the new regulations can be found on the GOV.UK website.

Countries in the EU and EEA

The European Union (EU) is an economic and political union of 27 countries. It operates an internal (or single) market which allows free movement of goods, capital, services and people between member states.

The EU countries are:

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.

The European Economic Area (EEA) includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market.

Switzerland is not an EU or EEA member but is part of the single market. Data Protection after Brexit is a topic we often talk to our clients on – if you need advice, do reach out to us. Check out Tricord’s offerings for Direct Mail and our e-Commerce and Fulfilment Services.