On the 31st December 2020, the Brexit transition period came to an end. The Brexit Trade Deal negotiated on the 24th December 2020 allows for the delay of any changes for at least 4 months, giving your organisation more time to prepare.
Does this apply to my organisation?
If your Organisation does not have offices, branches or other establishments in the EEA (European Economic Area) but you undertake data processing of individuals within the EEA in relation to goods and services that you offer then the below checklist will apply to you. This will not apply to you if you send and receive data into and from other countries (including European countries) directly with consumers. If, however you store data in other countries via a cloud infrastructure for example, this will still apply to your organisation.
Our platform can help you simplify this process by mapping out your data flows so you can see the countries you send your data to, the types of data you hold and the rules to follow under each circumstance.
How can my organisation prepare?
1. Map your data flows
You need to identify and map any flow of data between your organisation and the EEA. It is also helpful to identify the time and date of these data transfers so that you can identify new data being collected now that the transition period has ended and those that were collected before the end of the transition period (1st January 2021) which will be considered as ‘legacy data’. Legacy data is personal data of individuals outside of the UK being processed within the UK, which were either acquired before the transition period ended, or where it is being processed on the basis of the Withdrawal Agreement, after the end of the transition period. Any data transferred before will be subject to EU GDPR whilst data collected after this date would be subject to UK GDPR rules. EU law refers to the law applicable on the last day of the transition period.
Note: the ICO advises that large volumes of data, special category data (such as medical records) or criminal convictions, and business critical data should be mapped first and detailed fully.
2. Update your Records of Processing Activities (ROPAs)
Once you have identified and mapped out your data, your organisation should update your Records of Processing Activities (ROPAs) accordingly to evidence your compliance.
3. Identify the relevant safeguards
As the UK is now considered a ‘third country’, this means that transferring data between the UK and the EEA would involve extra safeguards that were not needed before Brexit. Until a has been made which would deem the UK as having met the EU data protection standards and thus able to transfer data freely, these safeguards can be in the form of:
- SCCs - The most common for SMEs are Standard contractual clauses (SCCs) which are contracts that have been pre-approved by the EU that allows a company to continue transferring data between the EEA after the UK leaves the European Union.
- BCRs - For larger corporations, it is more common to adopt binding corporate rules (BCRs) as they are suited for international transfers between separate entities within the same organisation and thus better suited to global businesses. They are internal codes of conduct which apply to multinational groups.
There are a number of exceptions to this as set out in Article 49 of the UK GDPR under which you may be able to continue transferring data such as:
- Explicit consent from the individual to have their data transferred between the EEA and the UK in this precise manner and not just a general acceptance from the individual
- Performance of a Contract in which you have a contract with the individual whose data you are transferring and the transfer itself is only on an occasional basis
- Reasons of Public Interest or Exercise of Legal Claims, both of which involves following prescribed laws and regulations
- Transfer of public registers
- In the Vital Interest of someone unable to consent
- Compelling legitimate interest of which the transfer is a one-off transfer
Further information on what constitutes the above-mentioned exceptions complete with examples can be found on the ICO website.
4. Identify and appoint a Representative in the EEA
Identify whether you process an individual's data from the EEA that relates to the goods or services you offer them or if you are monitoring the behaviour of individuals in the EEA. If your organisation answers yes to either of these, you will need to consider appointing an EEA representative. Such representatives must be authorised in writing which can be done via a simple service contract. The representative must also be able to effectively communicate with the data subjects and so should be ideally using the language of the data subjects. Finally, representatives should be provided with relevant and up to data information in order for them to fulfil their role.
Note: your data map should be able to tell you which country within the EEA is the most suitable for you to appoint a data representative in.
5. Identify the EEA Lead Supervisory Authority
A Lead Supervisory authority acts as a lead on behalf of other EEA countries so that controllers and processors inside the EEA need only deal with one supervisory authority as opposed to 28, when they conduct cross-border processing (transferring data between the EEA countries). This is known as the ‘one stop shop’ mechanism. This also means that companies should only be investigated by one authority and issued with one fine. But since the transition period has ended, the UK can no longer conduct ‘cross-border processing’ as it is now a third country and consequently, the UK ICO can no longer be viewed as a Lead Supervisory Authority for the EEA. As such, your organisation would need to comply with both a designated EEA lead supervisory authority as well as the UK ICO.
For example, if you currently have branches or establishments in an EEA country as well as a UK branch and you process the data across the two branches, you are conducting cross border processing which will no longer fall under the bracket of cross-border processing. As such, if there is a data breach affecting your customers both within the EEA country and the UK, you may be liable under both the UK Supervisory authority (ICO) and the EEA lead supervisory authority, and be fined on both occasions. Equally, if you process data solely within the UK but the processing may affect customers within the EEA, you are still liable under both authorities should your processing cause a data breach that impacts customers in those countries.
6. Update your Organisation’s Privacy Policy
You should also consider updating your privacy policies to reflect the changes your organisation will make in light of the end of the transition period so that your customers understand how their data will flow between the EEA and the UK.
7. International data transfers between the UK and non-EEA countries
There is a need to comply with the UK GDPR if non-EEA countries wish to send data to the UK. The UK will recognise existing adequacy decisions such as those negotiated with Canada and Israel but are also free to make new ones from 1st January 2021. A list of the current adequacy decisions can be found here. If adequacy decisions are not achieved, the UK will need to meet each sender’s local law requirements.
Summary
Overall, you should consider where your data is currently being processed and where your data processors and controllers are located. If it is within an EEA territory, you should look into appointing an EEA Representative that fits the aforementioned criteria and identifying the Supervisory Authorities you may need to deal with. Organisations will also need to consider on what basis data is being transferred into the EEA (goods or services or monitoring purposes) and the types of safeguards that are best suited to your organisation, in light of no adequacy decisions yet being made.
Disclaimer
Privasee does not hold the above article to constitute legal advice in any form.
More information can be found on the ICO Website - Data Protection now the transition period has ended.
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.