As part of the deal Britain agreed with the European Union (EU), data protection regulations will remain largely the same for most businesses.
In May 2018, the General Data Protection Regulation (GDPR) rules came into effect, which changed the way businesses can legally use customer data. These EU regulations are also part of UK law, set out in the Data Protection Act, meaning they will remain in place even though the UK has left the EU.
The Brexit deal contains a temporary agreement on data to allow the EU time to ratify a data adequacy agreement, which would mean that the UK is certified as meeting EU standards on data.
If you already comply with GDPR and don’t have any contacts or customers in the European Economic Area (EEA), then it’s likely you adhere to the existing data protection rules. However it’s always worth checking everything is covered.
If you do have customers or a presence in Europe, there will be some steps for you to take to ensure data can continue to flow into the future.
Three things you can do to comply with data protection regulations
(1) Make sure you are GDPR compliant
The new GDPR rules came into effect in 2018 and while the UK is expected to continue to align with EU GDPR going forward, there may be some additional steps you need to take if you operate in Europe or have European customers. From a data protection point of view, the best thing you can do is to double check that you’re covered. This means making sure that your systems and processes, as well as all of your data on customers in both the UK and the European Economic Area (EEA), are compliant.
- The government has put together an overview of maintaining data flows and data protection with the EU/EEA
- The Information Commissioner’s Office (ICO) offers a number of interactive tools for SMEs to check whether you are compliant, as well as a checklist to understand how your business may be affected by the end of the transition period and what to do
- A checklist from Simply Business provides a valuable overview on all things GDPR for small businesses
(2) Ensure you’re able to send or receive data from Europe
Transfers of data in and out of the EEA will not be restricted, so if you’re sending data to any of the countries in that area, you need to continue to make sure it is GDPR compliant. If you are receiving personal data from a business or organisation in the EEA, you will need to take action to make sure this can continue. Utilising Standard Contractual Clauses (SCCs), standard sets of contractual terms and conditions, is the best way to make this happen.
- The ICO has developed a tool to help you find out whether this solution works for your business, and which SCCs you need
(3) Check whether you need to appoint a representative in the EEA
Even if you’re UK based, if you operate in the EEA, or gather data on any individuals from the region, there may be more you need to do in order to comply with the EU data protection regime. You may need to appoint a suitable representative in the EEA, who will act as your contact for the authorities.
- The ICO offers information on whether you need to appoint a representative now that the transition period has ended