The GDPR in the UK
The GDPR, first in its EU form and now living on post-Brexit in the UK as the UK GDPR, has been with us for three years and over that time, has been one of the most talked-about legal topics across a broad range of businesses.
What’s Happened Since 2018?
When the GDPR first came into effect back in 2018, organisations of all sizes found themselves in a panic. A great deal of commentary on the new rules focused on nightmare-inducing penalties reaching into the millions, with many small businesses needlessly fearing ruin for innocent mistakes. The Information Commissioner had always intended to take a reasonable and proportionate approach to enforcement, however, and that has been reflected in events ever since.
As with any area of law, data protection isn’t standing still. The ICO and others continue to develop codes of practice and guidance designed to assist organisations of all sizes in their compliance with the rules. Topics addressed so far range from direct marketing and ad-tech to the handling of children’s personal data and AI.
The Brexit Effect
The EU GDPR was retained in UK law with some contextual amendments, resulting in the UK GDPR. The UK GDPR forms part of a broader body of privacy legislation that includes the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. For many small businesses, the UK GDPR is the primary focus. The good news is that the obligations and rights set out in the EU GDPR remain in the UK GDPR and, for the most part, are unchanged.
Nevertheless, it is important to be aware that if you operate in the EEA, the EU GDPR will still apply (as well as the UK GDPR, assuming you also operate in the UK). For those who are only based in the UK but offer goods or services to individuals within the EEA or monitor their behaviour, the EU GDPR may also still apply, and it may be necessary to appoint a suitable representative within the EEA.
Cross-border transfers of personal data must be viewed through a new lens too. Thankfully, personal data moving from the UK to the EU or EEA can continue to do so. Up until 28 June 2021, under the EU-UK Trade and Cooperation Agreement, data flows in the other direction were also permitted under a temporary six-month “data bridge”. This has now been succeeded by a formal adequacy decision.
28 June EU Adequacy Decision Update
On 28 June, the EU Commission formally adopted two UK adequacy decisions under the GDPR and the Law Enforcement Directive. This means that personal data can continue flowing in both directions unhindered. In this context, the GDPR adequacy decision is our focus. The decision is unusual in that it is time-limited to four years. This so-called “sunset clause” is designed to safeguard against future divergence. Over the next four years, the EU Commission will be observing UK data protection law closely to ensure that our framework continues to provide adequate levels of data protection, particularly where onward transfers to other countries (which may not offer good levels of data protection) are concerned. Furthermore, the adequacy decision may be suspended, repealed, or amended at any point if the UK’s approach to data protection changes. There are, then, various ifs and buts, but for the time being at least, the adequacy decision is still very good news.
What about data transfers from the UK to non-EEA countries? Again, there is good news. Countries covered by EU adequacy decisions in effect on 31 December 2020 continue to be recognised as adequate by the UK. New EU Standard Contractual Clauses have just been published by the EU Commission; however, the outgoing or “legacy” SCCs, valid as at 31 December 2020, will remain valid for restricted transfers of personal data from the UK to third countries until the UK publishes its own SCCs. The ICO is currently expected to consult on these sometime this summer.
At present, data protection compliance here in the UK has changed little as a result of Brexit. As time passes, the key question will be to what degree things are likely to diverge. Considering the strings attached to the EU adequacy decision, the potential for future divergence will likely be limited. The UK will need to ensure a considerable degree of regulatory alignment with the EU on privacy and data protection in order to preserve its adequacy status.
Such alignment may also extend to the would-be successor to the Privacy and Electronic Communications Regulations 2003 in the form of the EU’s long-debated “ePrivacy” Regulation. This was expected to be ready to come into effect alongside the GDPR, but it is still a work in progress for the time being (some sources do not expect it to come into effect for at least another two years, possibly more). Being EU legislation, it will not – of course – become law in the UK, but significant similarities between future UK legislation on online privacy and the new EU regulation should be expected.
Privacy in a Pandemic
The COVID-19 pandemic has also been significant from a data protection perspective. According to the University of Law, 2020 saw an estimated 12% growth in new businesses compared to 2019 and figures from Growth Intelligence suggest that the pandemic saw more than 85,000 new online businesses being established during the lockdown. Online businesses and data protection go hand-in-hand, requiring the personal data of customers and employees to be handled with great care and, in many cases, presenting a steep learning curve for budding entrepreneurs.
Meanwhile, the data protection policies and procedures built around long-established business practices were suddenly faced with a significant challenge – the boom in home working. Centrally controlled workstations on secure business networks gave way to laptops and iPads perched on kitchen tables, connecting to the outside world over domestic Wi-Fi. As discussed here , back in March 2020, maintaining training and awareness and implementing or adapting suitable policies and procedures was, and is, essential.
What Should You be Doing Now?
While the core principles, obligations, and rights enshrined in the GDPR have remained consistent since 2018, it is still important to regularly review your use of personal data and the policies and procedures in place within your business to protect that data and the rights of individuals. New and evolving projects, for example, may have changed the way in which you use personal data, possibly without you even realising it. Now, then, is the ideal time for a refresh, and to give your data protection compliance a thorough check-up.
Data Protection Content at Simply-Docs
An extensive range of data protection document templates is available, each designed to help you comply with different aspects of your obligations under the UK GDPR. These are discussed in more detail here .
- Start by reviewing and understanding your current data protection position with a Data Protection Audit .
- Always follow the principles of Data Protection by Design and Default when planning new projects or using personal data in new ways. Data Protection Impact Assessments are a great tool to help you do this.
- Get your policies in place and up to date. Key internal policies such as Data Protection Policies , Security Policies , and Data Retention Policies help everyone in your business understand their obligations when it comes to data protection and help to establish procedures for the correct handling of personal data and the protection of data subjects’ rights.
- Ensure that you are equipped to handle data breaches. Nobody wants them to happen, but the UK GDPR’s requirements mean that you must have procedures in place to handle them if and when they do occur. A Data Breach Policy , supported by suitable records is a valuable starting point.
- Make sure that individuals know what you’re doing with their personal data, what their rights are, and how to exercise them. Privacy Policies and Privacy Notices play a vital role here. The terms are used interchangeably (along with other names such as “Privacy Statement”), but here they are used to differentiate between online and offline privacy information.
- Respond promptly and clearly to requests from individuals to exercise their UK GDPR rights. One of the most commonly exercised rights is the right of access. Check out the range of templates for dealing with Subject Access Requests . A similar set of documents and an accompanying customer-facing Policy template are also available for the full range of Data Subject Rights .
- When transferring personal data to another party, make sure it is covered by a suitable contract. Data Processing Agreements are available for different controller-to-processor scenarios and a Data Sharing Agreement is available for use when two UK-based data controllers are sharing personal data.
When the GDPR first came into force, it presented a number of challenges, not to mention fears, to many businesses. The past three years have helped to put things into perspective as best practice and official guidance have gradually developed. If you were complying with the GDPR before Brexit, you should still be in good shape today under the UK GDPR, but there’s also no time like the present to take a step back and get a good overview of the current state of play and to make sure that you’re doing the best you can!
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.