Transition Update 1
Where are we now?
31 January 2020
The answer is that the UK is officially out of the EU, but geographically still in Europe. The 'excitement', or was that relief? of Brexit actually happening has passed. So perhaps now would be a good time to take stock - at least in relation to data protection.
The basic message is DON'T PANIC!
What is the current position?
Not a lot has changed because we have entered an 11 month Transition period that will end on 31st December 2020. That means that all the EU rules still apply and that includes the GDPR.
In the words of the ICO, this means it is "... business as usual for data protection." The GDPR is still in force meaning that anyone processing personal data should continue to follow the ICO's existing advice and guidance on their data protection obligations.
During the transition period, companies and organisations that offer goods or services to people in the EU will not need to appoint EU representatives. The ICO will continue to act as the lead supervisory authority for businesses and organisations operating in the UK.
It is not yet known what the data protection regime be after the transition period and inevitably businesses and organisations will continue to have concerns about the future of data flows and the general handling of personal data.
What happens on 1st January 2021?
Post Transition, the UK will be a 'third country' in EU terms and the (EU) GDPR will no longer be part of UK law.
- The UK Government has acknowledged that it will recognise all EEA countries under its own adequacy ruling and incorporate all existing EU adequacy decisions. This will allow organisations within the EU to continue to facilitate data transfers from the UK to these countries.
- GDPR restrictions will apply to personal data transfers into the UK unless the EU establishes that the UK is an “adequate” country. For the EU to do this, the European Commission will have to assess and approve the UK's adequacy. There may not be time for this by 31st January and so organisations need to ensure that they have appropriate safeguards in place for inbound data transfers, such as adopting the EU’s standard contractual clauses in their arrangements with EU based entities.
- Organisations based in both the UK and the EU will need to update their privacy notices to reflect the change to third country status.
The UK Government has said that it plans to continue 'GDPR' post the transition period and the ICO expects that it will be incorporated into UK legislation as the “UK GDPR” and so organisations should maintain their compliance on that basis. However this is not a certainty, so watch this space!
After the transition period, companies and organisations offering goods or services to EU residents, with establishments in the EU or monitoring the behaviour of people located in the EU will still have to comply with the GDPR because of the extra-territorial scope of the legislation.
Happy Data Something Day
It's either Protection or Privacy
28 January 2020
It is mostly called Data Protection Day in Europe and Data Privacy Day elsewhere. So does the UK have to change position after 31st January? Either way, it is a worthy day to remember each year.
Created by the Council of Europe in 2006, Data Protection Day is celebrated every year on 28 January, the date on which the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature. Data Protection Day is now celebrated globally.
The Convention was the first binding international instrument "... which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.
In addition to providing guarantees in relation to the collection and processing of personal data, it outlaws the processing of "sensitive" data on a person's race, politics, health, religion, sexual life, criminal record, etc., in the absence of proper legal safeguards. The Convention also enshrines the individual's right to know that information is stored on him or her and, if necessary, to have it corrected.
Restriction on the rights laid down in the Convention are only possible when overriding interests (e.g. State security, defence, etc.) are at stake.
The Convention also imposes some restrictions on transborder flows of personal data to States where legal regulation does not provide equivalent protection."
So Data Something Day is in our diary. Perhaps it should be in yours; maybe to remind you that you have only 9 weeks or 63 days left to submit your final Data Security & Protection Toolkit submission for 2019/2020.