UK companies are being urged to stay calm over the new data protection law which took effect following the end of the transition period with the European Union last year, when it changed from EU GDPR to UK GDPR.
The UK Government rolled over the data protection laws to UK GDPR from 1 January 2021, so UK businesses that process personal data should continue to comply if they had met the requirements of EU GDPR, says Allott and Associates, a leading Yorkshire-based GDPR specialist and business to business PR and marketing agency.
Allotts’ Former Managing Director and qualified GDPR practitioner, Philip Allott, said: “The EU-UK trade deal also contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to six months. However, support is available for companies concerned about the changes with regard to UK GDPR and data sharing in general.
“We offer an initial free data protection consultancy service that advises businesses if their data processing activities are currently compliant with the rules, as well as help in preparing an action plan for sharing data outside the UK if adequacy has still not been granted by the EC after the six-month hiatus. It’s vital that organisations know that their processing complies with the appropriate legislation.”
If the UK data laws are judged not to deviate too much from EU GDPR and are deemed adequate by the European Commission (EC), the free flow of personal data will carry on without any new restrictions – subject to compliance with UK GDPR. But if the EC decides otherwise, special documentation will need putting in place, i.e. binding corporate rules (BCR) or standard contract clauses (SCC).
Adequacy is a test applied by the EC to determine whether third countries (those not part of the EU or European Economic Area) are judged to have similar data protection rights as the EU. Although UK data protection mirrors EU GDPR, it should be noted that this privilege has been granted to just 12 countries; the last to agree a data protection deal with the EU was Japan, and it took over two years.
Whatever rules apply, firms with head offices overseas must ensure that they are compliant for the transfer of personal identifiable data to the subsidiary in the UK, and vice versa when companies’ owners are based in this country.
Outside of the EU, 11 of the 12 countries deemed adequate by the EC have informed the UK Government that they will maintain unrestricted personal data flows and there are currently no changes to the way UK businesses will send personal data to these nations and Gibraltar.
UK GDPR is exclusively enforced by the Information Commissioner’s Office (ICO) for the processing of personal data. It imposes responsibilities with a requirement for compliance to be adhered to and demonstrated at all times. In addition to a Data Protection Officer (DPO) an EU representative will need to be appointed where there is a lot of data processing involving EU subjects.
Companies should prepare a plan for updating all their privacy policies, Data Protection Impact Assessments (DPIAs) and other data protection documentation where they make references to EU law, to reflect UK data protection guidelines and also check whether they import any personal data from Europe to see if any further safeguards need putting in place.