Does GDPR change now we've left the EU?
Posted on 29th April 2021 at 09:50
Back in May 2018 GDPR suddenly because the acronym of the hour. But just in case you don’t already know what GDPR means, it stands for General Data Protection Regulation. This security law was introduced by the European Union, designed to give EU citizens more control over how their personal data is collected, used and stored online.
Pre Brexit, if you held any data on your customers, including name, address, contact details and payment information, then you needed to comply with this data protection act and treat the information you hold accordingly.
But what does this mean now that the UK is no longer part of the EU?
Post Brexit GDPR
Although the UK is no longer part of the European Union, companies based here will still need to comply with the rules set out in the GDPR. This is because the regulations have an extraterritorial effect, meaning non-EU countries are also affected by it, because the rules apply to any customers who are based in the EU.
For example, even if you are a UK based business, selling mainly to UK customers, if you use web tools to track and analyse any visitors to your company website who are based in the EU, then you may still be subject to the GDPR rules. Because of this, our advice is that you should always strive to be GDPR compliant.
However, even if you deal solely with UK customers, the changes made to the data regulations in order to achieve GDPR compliance still hold. This is because the rules set out in the EU GDRP have been incorporated into the UK’s Data Protection Act 2018. This means that the same mechanisms that regulate your customers’ private data remain in place and the fines for not complying also still apply.
The UK is seeking to gain this formal adequacy status from the EU, and once this is in place then personal data can be sent from an EEA (European Economic Area) country state to the UK without needing any further safeguarding. ‘Adequacy’ status is the term used by the EU to describe other countries, territories, sectors and international organisations that it deems to an ‘essential equivalent’ level of data protection to that which already exists in the EU.
There is a four to six-month bridge from the UK’s withdrawal from the European Union, whereby data can continue to flow between the EEA to the UK whilst this adequacy status agreement is being negotiated.
If you haven’t done so already, these are the steps we suggest you take with your customers’ data now that Brexit has been agreed:
- Continue to comply. Follow the ICO guidance around GRDP to ensure you’re still compliant.
- Data flows into the EU. If you transfer any personal data from the UK into any other country (not just the EU), identify this data and continue to apply the rules set out in the Data Protection Act 2018.
- Data flows into the UK. If you receive any data from an EEA country, make sure that you maintain the safeguards set out in the GDPR.
- Documentation. Review your Data Protection policies to ensure they’re up to date and comply with the law.
- Employees. If you have any employees, make sure they are aware of what’s going on. If you have a DPO (Data Protection Officer), they can continue to play the same role for the UK and Europe.
If you store personal data on your customers, then it’s most likely that the Data Protection 2018 Act applies to you. Therefore, we advise that you familiarize yourself with the rules laid out by the General Data Protection Regulation and continue to observe them.
You can contact us and we can help you through the required compliancy involved in Data Protection.
Nicola J O'Sullivan -
Founder | Xero Champion | IR35 Expert
Share this post: