The UK’s membership of the European Union (EU) formally ended on 31 January 2020 and the regulations imposed on the UK by Europe will no longer apply, directly.

Foreseeing this the UK Government passed a wide range of Brexit related legislation to maintain short term continuity. This is the start of divergence and more significant divergence is expected in the weeks and months that follow.

The law currently applying to Data Protection in the UK is:

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No.2) Regulations 2019.

This note outlines our views and the prevailing information on:-

1. Impact on business
2. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
3. The difference between the UK GDPR and the EU GDPR
4. The version of GDPR that you should apply during the transitional period
5. Changes to Data Enforcement and Supervision
6. The role of the Information Commissioner (ICO)
7. Cross UK/European Border Data Processing
8. Appointment of UK Data Representative with EU
9. Freedom of Information Act -FOIA
10. Environmental Information Regulations –EIR
11. First UK Fine under The GDPR – A pharmacy – £275,000
12. What you should do now 

1. How much of an impact will Brexit have on business?

While there is sure to be some level of impact for everyone, the impact of Brexit on each business will depend on the type of business and, most importantly, in which jurisdiction they collect and process data.

Due to the 12 month Brexit transition period, the impact on business is unlikely to be immediate but It is important to note that the information set out here may change during the course of political negotiations.

It is hoped that these negotiations will be completed successfully within the 12 month transition period but this is a very short time frame and there is a very real possibility that the a deal with The EU will not be completed. In this situation the rules on data protection, GDPR and PECR, as well as numerous others could change radically and quickly.

2. What is the purpose of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No.2) Regulations 2019?

As The GDPR no longer applies directly in the UK, these new regulations introduce a single regime for general processing activities, generally referred to as The UK GDPR. It also replaces references to EU member states, institutions, procedures and decisions that will no longer be directly relevant after Exit.

The law revokes the regulations on the processing of data by EU institutions, as well as EU adequacy decisions on standard contractual clauses. It also removes the obligations on the Information Commissioner’s Office (ICO) to cooperate with other member states’ supervisory authorities under the Law Enforcement Directive. The Law Enforcement Directive (LED) is a piece of EU legislation parallel to GDPR which also came into effect in May 2018. The LED deals with the processing of personal data by data controllers for law enforcement purposes which fall outside of the scope of GDPR.

The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply. The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed. Its content may feature in the forthcoming negotiations.

3. What’s the difference between the UK GDPR and the EU GDPR?

In 2020 there in effect two GDPRs that apply domestically to the UK. This is in addition to the Data Protection Act 2018, of which an amended version also took effect on 31 January 2020.

The UK GDPR maintains the data protection standards that currently exist under EU GDPR and the Data Protection Act 2018. It introduces a newly merged regime for general processing activities.

The core provisions of GDPR all remain the same under the new domestic UK GDPR, including:

• The principles relating to the processing of personal data and the lawfulness of processing (Article 5)
• The rules around the processing of special categories of personal data (Article 9), also known as sensitive personal data such as data on race, political opinions, religious or philosophical beliefs, biometric data, sexual orientation and more
• The conditions for consent (with the exception of the valid age of consent which has been lowered to 13 years in the UK GDPR from 16 years in the EU GDPR)
• The rights of the data subject including the right to access, right to be forgotten, right to data portability and the right to rectification etc.

4. Which version of GDPR should we be applying during the transition period?

The Data Protection Act 2018 will no longer rely on the EU GDPR, but on the UK GDPR instead. It will refer to the new domestic GDPR after Brexit. This means that when the transition period ends on 31 December 2020, UK citizens will be protected by a comprehensive data protection regime that is made up of both the UK GDPR that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018, which supplements the domestic GDPR and extends beyond it as well.

The EU version of GDPR continues to apply to the EU, as well any business anywhere in the world processing the data or targeting EU citizens. This means that if a company based in the UK has customers from the EU, or a website based in the UK has visitors from the EU, it will still have to comply with both the EU GDPR and the UK GDPR.

5. 
   What are the changes to data enforcement and data supervision?

Data laws in the UK will not be supervised or enforced by the European Data Protection Board (EDPB), the main power of supervision and enforcement today. Rather, it will be the ICO that will supervise and enforce the domestic UK GDPR and Data Protection Act 2018 in the UK.

6. What is the role of the ICO?

GDPR introduced the concept of a one-stop-shop for data protection regulation. In the UK, the ICO is the supervisory authority. If your business engages in cross-border processing, which is the transfer or processing of data across the EU, the one-stop-shop allows you to deal with just one supervisory authority, rather than 28. For example, if your business is primarily based in the UK but processes data across EU borders, you could appoint the ICO as your lead supervisory authority and deal with them. Similarly, if you’re based in France but also deal with UK data, the French authority can be your lead authority

7. What do you do if your organisation does cross-border processing?

If your organisation does cross-border processing, it is likely you will need to appoint another supervisory authority in the EU. This will be in addition to the ICO, because although both the UK GDPR and the EU GDPR currently still applies in the UK. This will change at the end of 2020 and you’ll need to have the ICO as your authority for processing UK data and another EU supervisory authority for processing EU data.

Similarly, if you deal with any UK data but haven’t been in touch with the ICO till now, it is recommended you do so. While businesses have until the end of 2020 to prepare for post-Brexit data protection laws, it is worth taking the time to get prepared now.

8. What about appointing a representative?

Until now, non-European countries that deal with EU data had to appoint a representative somewhere in the Union to act as the point of contact for their EU customers and to deal with the supervisory authority.

Now that the UK is leaving the EU, UK-based organisations will have to do the same. Further, companies that are based outside the UK but collect data from the UK will have to appoint a UK representative.

This UK representative is who you would notify if there has been a data breach. This is important when dealing with the data of countries from other citizens and the extraterritorial nature of GDPR. UK companies processing or targeting EU citizens are obligated to notify the supervisory authority of breaches of personal data under GDPR.

9. Does FOIA still apply?

Yes. The Freedom of Information Act 2000 forms part of UK law and will continue to apply.

10. Do the EIR still apply?

Yes. The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).

11. First UK Fine under The GDPR

In December 2019 a London Pharmacy was fined £275,000 under the GDPR for the unsecure storage and disposal of patient records.

Whilst many of the headline news relating to data protection breaches relates to “ hacking” in reality most data protection breaches can traced back to a lack of knowledge, understanding or adhered to Data Protection policies and legislation.

Completing privacy impact assessments on all policies, procedures, projects and activities coupled with annual training for managers and staff in Data Protection is a very low cost way to help prevent breaches and fines like this.

12 What should you do now?

• Establish your organisation’s exposure to GDPR
• Organisations that only process the data of people in the UK need to comply with UK GDPR and the Data Protection Act 2018
• Organisations that process the data of people in the EU need to comply with EU GDPR
• Don’t panic – No immediate changes to the law until 31^st December 2020
• Ensure Privacy Impact Assessments are in place
• Ensure everyone is conversant with your policies, procedures and the latest legislation

Privacy Impact Assessments and GDPR training are two key steps all organisations can take to ensure that staff comply with the regulations.

To help organisations maintain GDPR compliance, Concrew Training offers training for Governors, Directors, management and staff at all levels on Corporate Governance, Data Protection, GDPR, and privacy impact assessments. Where required we can dovetail update training to your own policies and procedures or use the training to review them.

Concrew Training
2020