The UK has left the EU and the transition period will end on 31 December 2020 so what links Brexit & Personal Data – What Will Change From January 2021?
This will impact how companies manage the data they receive from the EU or EEA (European Economic Area). Businesses may need to take extra steps to ensure that they can continue to process data legally, as the UK establishes its new relationship with the EU from January 2021.
What is personal data?
Personal data is any information that can be used to identify a living person. This type of information is regularly used in the daily running of businesses and other organisations, for example, in Human Resources, Payroll, Finance, Sales, Purchasing, and Marketing.
What is an example of a personal data transfer from an EU/EEA partner?
- A UK company receives customer information from an EU/EEA company, such as names and addresses of customers, suppliers or partners to provide goods or services
- A UK company receives IP addresses, or human resource data, such as staff working hours and payroll details.
Businesses or organisations that receive this kind of information from an EU/EEA company to provide goods or services must review their processes to ensure that they can legally continue to receive this data from January 2021.
Looking ahead to 1 January 2021
From 1 January 2021, businesses may need to have Standard Contractual Clauses (SCCs) in place with EU counterparts in order to legally receive personal data from the EU.
The EU’s data adequacy assessment of the UK is underway, and the UK Government is confident that adequacy will be established by the end of the transition period, and this will allow for the free flow of personal data from the EU/EEA to the UK to continue without any further action from UK businesses. However, it is important that UK businesses prepare to ensure that they can continue to lawfully receive personal data from the EU/EEA business (or other organisations) if the EU has not made adequacy decisions in respect of the UK before the end of the transition period on 31 December 2020.
If the EU has not reached an adequacy decision by the end of the transition period, businesses will be required to implement alternative transfer arrangements to ensure that they can continue to receive data from the EU/EEA. For most organisations, SCCs (as detailed above) will be sufficient.
Transferring personal data from the UK to the EU/EEA
There are currently no changes required to the way businesses send personal data to the EU/EEA.
Data protection and GDPR
To date, during the transition period, there have been no changes to the UK’s data protection regulations. EU data protection laws, including the GDPR continue to apply, alongside the Data Protection Act (2018).
The Information Commissioner remains the UK’s independent supervisory authority on data protection.
After the end of the transition period, both the GDPR and the Data Protection Act (2018) will remain part of UK law. Any changes to legislation will be implemented in the usual way, however, at this time no changes are planned.
Are there additional steps businesses need to take to prepare for the end of the UK’s transition period?
There may be other steps each business needs to take to prepare for January 2021. To understand the specific changes that may be required for your business you can use the assessment tool on the government website.
Your team might also need extra training on this subject, visit our Change Management page to find out more.
We strongly recommend that employers:
- Review their current arrangements to ensure they continue to comply with the GDPR and the Data Protection Act
- Establish whether any data transfers from or to the EU/EEA are required for their business
- Develop and implement SCCs where required
We hope we have answered or given you ideas around the topic: Brexit & Personal Data – What Will Change From January 2021?
For further information, advice, or support in changing contracts of employment, please contact us at firstname.lastname@example.org.