The data protection landscape will change in 2021. Here, in a nutshell, are the main changes:
1. The GDPR will become the UK GDPR.
So, we will have the UK GDPR and the Data Protection Act. The GDPR as it is now will be known as the EU GDPR.
2. Remaining compliant with EU GDPR may still be necessary
If you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either:
- offer goods or services to individuals in the EEA; or
- monitor the behaviour of individuals in the EEA,
then you will still need to comply with the EU GDPR regarding this processing even after the end of the transition period.
3. Consider if you need to appoint an EU representative.
If you do not have a base inside the EEA after the transition period ends, the EU GDPR requires you to appoint a representative in the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located.
You do not need to appoint a representative if either:
- you are a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals;
- and does not involve the large-scale use of special category or criminal offence data.
4. Adequacy status for data transfers could change
The EU Commission has granted the UK temporary adequacy status for the next 4-6 months. This means that we can transfer data back and forth as we have been doing for the next few months.
However, if we don’t get permanent adequacy, then the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK will change.
The current rules:
- You can send personal data from the UK to the EEA, EU and Gibraltar and receive data back without any transfer safeguards.
- The UK has recognised the following countries as adequate so you can send data to organisations there without any SCCs.
- Andorra (has not recognised the UK as adequate)
- Canada (for commercial organisations)
- Faroe Islands
- Isle of Man
- New Zealand
What you need to do:
- See if you need an EU representative.
We have partnered with a German law firm so can help you with this.
2. Amend your privacy notices
Refer to the UK GDPR, not the GDPR, and determine if you need to add a section for EU data subjects.