Brexit and GDPR – Over the Bridge
E.U. member states have approved the European Commission’s draft adequacy decisions for the U.K. We expect that the European Commission will adopt this formally in due course. This is great news! Data will be allowed to continue to flow between the E.U. and the U.K. without additional bureaucracy. The “bridge” period that temporarily allowed organisations to share data between the U.K.and the European Economic Area (E.E.A.) under existing E.U. GDPR legislation has ended. However, organisations will need work within the new post Brexit rules framework to comply with U.K. and E.E.A. rules.
What should you do to achieve U.K./E.E.A. compliance?
Although transfers of data between the U.K. and E.E.A. do not need additional procedural steps under the Retained GDPR (the legislation adopted in the U.K. to maintain equivalence with E.E.A rules), certain activities are still required by organisations. These are the following:
1.
Appoint a Data Protection Representative.
Organisations should ensure they have appointed an E.E.A. data representative and make any changes to their privacy policy now that the U.K. is a 3rd country as far as the E.E.A is concerned.
2.
Review and update your Record of Processing (which is required under GDPR and the Data Protection Act 2018) to identify if your organisation processes the data of E.E.A. based citizens.
Your Record of Processing should show:
a. The type of personal data you process;
b. Where the data subject is located;
c. On what lawful grounds the processing takes place, based on those set out in the relevant legislation;
d. Where data is processed;
e. With whom it is shared and why; and
f. For how long it is retained.
3.
Update your Privacy Policy and, if required, your Terms and Conditions
4.
If data is transferred outside of the U.K. and E.E.A., check that suitable safeguards are in place to protect data subject rights