The Effects of Brexit on GDPR – what you need to know
Information in this blog was correct at the time of publication, however you should check the ICO website for the most up to date information. Although it’s been three years since GDPR was implemented for UK and EU businesses, it doesn’t feel that long ago that we saw the mass panic and scare stories about this piece of legislation.
So, naturally, there has been some concern about GDPR since Brexit, and many questions!
Does GDPR still apply to UK businesses?
Has anything changed about GDPR for businesses located in the UK?
Is there anything new I need to do as a business owner?
In this blog, I want to give a general overview about GDPR now we’re out of the EU, and let you know what you need to be aware of and doing for your business to ensure you’re staying compliant with data protection regulations.
The Data Protection Act (2018)
A major update was made to the UK’s Data Protection Act (DPA) in 2018 to make it fit with GDPR. As GDPR is EU legislation affecting all activities around the personal data of EU citizens, it was necessary for the UK law to ensure our DPA was in line with the General Data Protection Regulations.
As the UK is no longer part of the UK and finalising withdrawal, the protection of data for UK citizens is covered under the UK DPA and so first and foremost, it is important to ensure that your business is compliant with that particular legislation.
However, any business around the world must comply with the EU directive of GDPR when it comes to processing data about EU citizens.
Whatever the UK chooses to do with the DPA (it’s being reviewed), GDPR is still relevant if you’re transferring data to/from the EU (such as using cloud apps and the servers are in the EU, for example) or have EU nationals as clients.
So, in effect, you need to consider both the UK DPA and the EU GDPR when it comes to data protection in your business.
Identify any data you hold on EU citizens
As a first step, you need to know who your clients are and where they are located.
One thing to look out for is nationality rather than residence. All of your clients might be located in the UK, but if any of them are EU nationals they are still classed as EU citizens, and thus their data falls under GDPR rather than DPA.
As this circumstance could happen at any time, you need to ensure your data protection measures cover this eventuality. It also means you should ascertain nationality when onboarding clients to ensure you treat their data accordingly.
Sharing data with the EU has changed
When you share data with a company in the EU, such as storing information on a server in the EU, or sending data via email or DropBox, etc; you need to ensure that the system or individual complies with the DPA for your UK based clients and GDPR for your EU based clients.
During GDPR, a lot of companies moved their servers to the EU to comply with the directive, but we’re now seeing that many online systems are moving data to the USA for UK clients. This means a change in service, thus you should, at the very least, have a data processing agreement in place with them that confirms the security of the data during the international transfer of data.
However, US-based systems can be problematic for GDPR (hence why they changed to EU servers back in 2018), so if you do have EU citizen data it might be worth reviewing your systems to those still based in the EU.
You can find out more about international transfers from the ICO here.
You are the data controller for your business
As the data controller, you are the 1st party and determine the data you collect, your reasons for collecting it and what you do with it, i.e., how you process that data.
Your clients, the data subjects, are the 2nd party.
Any person outside of your organisation or a system you use to store/process data is a 3rd party.
It’s important that you understand these relationships as it’s a core part of data protection regulations and what you need to be doing as a data controller to remain compliant.
As a data controller, if you are sharing data within the UK with a third party (like an accounting app or outsourcing partner, for example), you need to have the following in place.
- The contract including obligations of confidentiality – this should define personal data, require all parties not to share this outside of the contract and states compliance with GDPR in the UK or on a global level.
- Data Processing Agreement – this adds to the confidentiality element of the contract by including specific instructions from the data controller to the processor of what is going to be done with the data.
- Security Instructions – these should tell the data processor what the minimum data security requirements for them handling this data – e.g., should any devices they use be encrypted, should they use a VPN when working on Wi-Fi, etc.
At the moment these are also sufficient for sending data to and from the EU – therefore if you are using a system that is storing data in the EU then having these in place will cover you.
When the UK has fully withdrawn from the EU, i.e., post-Brexit, you can continue to use your contract, data processing agreement and security instructions to send data from the UK to the EU, however, if you have data coming from the EU to the UK, you may need to have additional contractual terms in place to ensure compliance with GDPR.
We are currently in a transition period and therefore we can continue as we are for now, but later in 2021 (we haven’t been given a definite date yet), we may need to change things if you need data to flow from the EU to the UK.