GDPR after Brexit – where are we now?

We are now almost 6 months on from the end of the transition period, when the UK left the European Union (EU). Both Brexit and the Covid-19 pandemic have had a significant impact on the import and export of goods, but as international trade agreements begin to settle – questions are turning to the transfer of data and the impact of Brexit on information governance.

What has changed?

In practice, very little has changed for those co-operatives who have already reviewed and updated their information governance to comply with GDPR.

In theory, the UK has the ability to make its own data legislation. If you operate inside the UK, you will need to comply with UK data protection law. Helpfully, Northern Ireland is treated no differently to the rest of the UK for data protection purposes. The Channel Islands are treated separately to the UK, although data is currently able to flow between both the Channel Islands and Europe, and between the Channel Islands and the UK.

Do I need to worry about GDPR at all?

The GDPR has been fully incorporated into UK data protection law as 'UK GDPR' - there is little change to the core data protection principles, rights and obligations found in the UK data legislation and it remains relevant for UK-based co-operatives.

The EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA.

Similarly, organisations that operate in Europe and send personal data to you in the UK, will need you to work in a way which supports their own compliance with EU GDPR.

Can we still transfer data with Europe in the normal way?

Despite leaving the EU in December 2020, the EU agreed to delay restrictions on the transfer of data from the EEA to the UK until 30 June 2021 (known as the 'bridge'). Whilst we are waiting in this 'bridge' stage, the European Commission will assess whether UK data legislation is sufficiently aligned with the EU's requirements for data to flow freely between the EEA and the UK. This assessment is referred to as the EU's 'adequacy decision'.

You should update your documentation and privacy notice to expressly cover transfers between the UK and the EU, recognising that the UK is now a third country and reliant upon the European Commission's adequacy decision. You should also identify those areas where the exchange of personal data between the UK and EU are business critical.

If the draft adequacy decisions are not formally approved, you will need to consider using 'standard contractual clauses' to maintain your data exchanges with the EEA. These are a set of standard terms which offer sufficient safeguards on data protection for the data to be transferred internationally. The ICO has copies of the standard contractual clauses available on its website although these are under review and you should seek specific legal advice where transfers of personal data form an essential part of your business.

Do I need a European representative?

If you offer goods or services to individuals in the EEA, or you monitor the behaviour of individuals in the EEA, and you do not have a branch or office based in the EU or an EEA state, you may need to appoint a representative in the EEA. A representative is someone who can act on your behalf regarding EU GDPR compliance and often appointed using a services contract: enabling them to deal with any supervisory authorities or data subjects in the EU.

You do not need to appoint a representative if your processing is only occasional, of low risk to the rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

When deciding whether your activities are "low risk" the ICO advises you take a cautious approach and only rely on this exemption where you are confident the processing will have no impact on the people concerned. A Canadian-based company, locatefamily.com, was recently fined €525,000 by the Dutch equivalent of the ICO, for failing to designate a GDPR representative. The platform, which allows users to search the contact details of people they have lost track of, was brought to the regulator's attention after a serios of complaints.

Therefore, you should consider appointing an EU representative if you, for example:

• Regularly sell items to customers based in the EU and process their bank details or shipping information.
• Often employ staff from the EU or have staff or members who are based in Europe.
• Use advertising campaigns which send direct communications to individuals based in the EU.
• Profile website users or carry out market research on individuals based in the EU.

Do our European partners need to appoint a UK representative?

Organisations which are based outside the UK will need to comply with UK GDPR and appoint a UK representative if they:

• Do not have a branch or office in the UK; and
• Offer goods or services to individuals in the UK; or
• Monitor the behaviour of individuals in the UK.

Where you are working with such EU-based organisations, either as customers or suppliers, you should check whether they have authorised an individual or organisation to represent them in the UK and act on their behalf in respect of the ICO and UK data subjects.

What about the rest of the world?

All 12 of the third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK. Currently, these include: Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.

For all other countries, including the United States, you will need to use the 'standard contractual clauses' to maintain your data exchanges with countries outside the EEA.

Looking ahead

It has been 3 years since GDPR was implemented and with it, we have all become accustomed to greater scrutiny of our data management and information governance.

Not only have the responsibilities remained, but it is also clear that digital governance will be an ever-increasing area of scrutiny. The ICO and Competition and Markets Authority have recently issued a joint statement, setting out their shared views on the relationship between competition and data protection in the digital economy.

For co-operatives that operate internationally and for those that are reliant upon cross-border collaboration, this will require them to comply with requirements in both UK and EU jurisdictions. When considering what immediate action to take, you should:

• Carry out a data-mapping exercise to identify where personal data crosses international borders and update your privacy notices.
• Assess whether these activities are "low risk" and either appoint an EU representative or document your reasons as to why one is not necessary.
• Identify those business-critical activities which rely on international data transfer and consider whether you need to incorporate standard contractual clauses (in case the European Commission determines that UK legislation does not offer an adequate level of data protection).
• Ensure your project managers understand the risks where personal data is exchanged between the UK and other countries so that they can build in extra safeguards for future activities.

You can read more information on how to handle international transfers of personal data after the EU exit.