Brexit and GDPR – End of the Bridge.
We are fast approaching the end of the initial four-month data “bridge” on 1 May, which was introduced in the trade deal between the UK and European Economic Area (EEA) at the beginning of 2021. The deal provided a four to six-month “bridge” period to get ready for new international data transfers rules. The EEA has has yet to approve its draft adequacy finding regarding UK data protection laws leaving organisations with no clear answer on what might happen on 1 May 2021.
The ICO’s advice is “If adequacy decisions are not adopted at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions”.
What should organisations do to prepare for the end of the “bridge” period?
1.
Review (and if needed) update your Record of Processing (which is required under the GDPR and Data Protection Act 2018) to identify if your organisation processes the data of EEA based citizens.
Your record of processing should show:
a. The type of personal data you process;
b. Where the data subject is located;
c. On what lawful grounds the processing takes place, based on those set out in the relevant legislation;
d. Where the data is processed;
e. With whom it is shared and why;
f. How long it is retained for.
2.
If you find that you do hold EEA data subject personal data, you will need to:
a. Update your Privacy Policy, and possibly your Terms and Conditions;
b. If data is processed either a) outside of the UK or b) outside of the EEA, check that suitable safeguards are in place to protect data subject rights; and
c. Appoint an EU Data Protection Representative who can be contacted by your EEA based data subjects to enforce their data protection rights.