As the UK prepares to fully withdraw from the European Union, businesses will need to be aware of new data protection regulations that could be triggered by the end of the Brexit transition period. It has been a time of uncertainty for those who rely on the free transfer of data to and from Europe, with much yet to be agreed regarding what will happen once the full withdrawal takes place.
The UK has been in a transition period since it left the EU on January 31st this year, retaining EU rules on the General Data Protection Regulation (GDPR) in domestic law until the transition comes to an end. Essentially it has been 'business as usual' so far in terms of data protection for most companies – but that may be set to change in the new year.
What changes could the withdrawal bring to data protection?
The UK Government has said it plans to enshrine existing GDPR into UK Law to limit change to the core principles of the rules. The UK was a great advocate of the GDPR regulation and contributed heavily to its wording so it is unlikely much will change in the short to medium term.
However, following the end of the transition, the UK will have the independence to keep its GDPR rules under review. Much depends on whether the UK and EU can come to an agreement. GDPR applies primarily to those sending or receiving personal data within the European Economic Area (EEA) - the EU plus Iceland, Norway and Liechtenstein.
When the transition period ends, the UK will become what is known as a 'third county' – a state that falls outside the EEA. GDPR rules restrict the transfer of personal information to third countries unless that data is protected in another way or exceptions are put in place. The EU Commission has the power to determine which third countries have an adequate level of data protection, so they can be sent information without any further safeguarding.
In February 2019, the commission found that Andorra, Argentine, Guernsey, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay all had adequate data protection. Partial findings of adequacy were made towards the USA, Japan and Canada. However, it is still uncertain whether or not the EU Commission will decide that the UK has the required level of protection.
What could this mean for UK SMEs?
As such, companies in the UK could face difficulty maintaining the free flow of data from Europe. This would have a much bigger impact on small or medium-sized business in the UK as large firms and multi-nationals tend to have established data transfer mechanisms already in place.
Microsoft has already started to move its UK Office 365 customers data to UK datacentres, and all business owners should review where their data and backups are stored to assess if changes are needed to remain compliant.
The Information Commissioners Office (ICO) says UK businesses that receive personal data from contacts in the EEA will need to ‘take extra steps’ to ensure the flow of data is not interrupted. Businesses that comply with GDPR and have no data transference with contacts in the EAA will be unaffected by the completion of the transition period. It may still affect businesses that do not necessarily trade with European or other international businesses because of systems they use such as Salesforce or other cloud-based CRM systems, for example.
What can UK SMEs do to prepare for changing regulations?
The best way for companies to be prepared when the transition ends is by ensuring they still comply with GDPR rules now. Data being sent to the EEA will not be interrupted, according to the UK Government, so companies will not need to take extra steps to stay in compliance.
For those who do receive data from the EEA, there are other forms of protection they can implement. For most firms, a Standard Contractual Clause (SCC) may be a good way to ensure that the flow of data and information into the UK from the EAA is not interrupted. An SCC is a contract between a company inside the EEA and a company outside, agreeing to transfer information using the EU-approved terms.
If personal data is sent from someone in the EEA to someone outside, they have to comply with GDPR rules on international transfers. SCCs are a safeguard used to help firms comply with these rules and tend to suit small and medium businesses.
Will these changes affect all businesses that handle data?
Companies can also consider whether they can achieve their aims without sending personal data at all. If the data is anonymous, and there is no way of identifying individuals among the data, then it does not count as personal data.
Restrictions therefore do not apply to this type of anonymous information and firms are free to transfer it outside the EEA.
What can businesses do now?
So much is still undecided regarding the details of the full withdrawal, so it's crucial that UK SMEs keep a close eye on any changes. The most important thing for businesses to do at the moment is to comply with current GDPR requirements, keep up to date with Government advice on any changes in the law, and investigate whether Standard Contractual Clauses could help maintain their free flow of information from the EEA.
About the Author
Jonathan Smy is managing director of SMY IT Services based near Ipswich, Suffolk. He is an IT strategy, computer support and solutions expert with 18 years’ experience in the industry. SMY IT services is a high-quality IT support, cloud and consultancy provider specialising in sectors including recruitment, property, construction and professional services.