The UK’s withdrawal from the European Union (EU) has caused a myriad of delays, disruption, and disturbances for current and new companies set up in the UK. But there’s another thing that businesses need to consider post-Brexit, and that is how data is being regulated.
With the UK no longer being part of the EU, businesses will have to adapt and change the way they store, process, and use data.
Fortunately, much of the UK’s data protocol still follows the guidelines stipulated in the General Data Protection Regulation (GDPR), but there are some new rules to be aware of.
Let’s dive into what these are and what they mean for your business.
Before we assess what’s new, let’s first take a bird-eye level view over data governance both here in the UK and in the EU.
Fortunately, the UK will still follow the parameters set out in GDPR, though there might be some small technical changes to ensure it can apply to British law.
The UK is now officially considered a ‘Third Country’ by the EU. This means that the UK needs to wait for an adequacy decision in order to determine whether the UK has an adequate level of data protection. This decision will then impact how data sharing operates post-Brexit.
Right, enough of the overview—let’s get down to business.
Receiving Personal Data from the EU
You can continue your usual protocols until the end of the bridging mechanism (which lasts up until the EU has made an official adequacy decision).
So in short, nothing needs to change—at least for now.
However, consider putting in place alternative data transfer methods just so that you can safeguard any potential hurdles to the free flow of personal data from the EU to the UK.
While this does mean more work and we don’t even know what these hurdles might look like, it’s always good to have a contingency plan just in case.
For more information, check out the ICO website.
Transferring Personal Data from the UK
As things stand, there are no changes to the way in which you transfer personal data from the UK to the EU.
Holding Legacy Data
If your business holds personal data that you acquired before the 31st December 2020, you have to continue treating these according to guidelines set out in the GDPR. In other words, there are no new changes.
Bear in mind, however, that this might change when/if the EU grants the UK an adequacy decision.
Appointing EU-based Representatives
If your business doesn’t have a European base (e.g. office, brand, or establishment), then you might need to appoint an EU-based representative. This only applies if your business lacks a base but does offer goods and services or to citizens in the EEA, or if you monitor individuals in the EEA’s behaviour.
If you want to find out if this applies to your business, click here to head to the ICO website.
Last but not least, you’ll have to update any references to data privacy law/regulations on your company’s website. Of course, this will probably change once the bridging mechanism is over and the EU has granted the UK an adequacy decision—but just keep it in the back of your mind moving forward.
When You Get Data-driven Headaches
Data management can sometimes seem like a messy business. Having to stay up-to-date with complex, lengthy legal documents is no fun for anyone—especially not if you’re trying to run your own business.
We’re always trying to find ways to make it easy for business owners to focus on their company growth while we take care of the other things like bookkeeping for UK companies. Sure you can do them all yourself but if you are trying to grow your business while keeping up with all the Brexit updates, you might need a hand sometimes. Drop us a line if you do.