Brexit checklist for data protection

Date published: 2020-12-22   — by Privacy Perfect

On Dec 31st, 2020, the clock strikes zero for the Brexit transition period. Unless the EU and UK can strike a deal on privacy within the limited time that is left, the UK will become a third country for the member states of the European Economic Area. This has several consequences in the area of privacy. To help you during this time of uncertainty, we have compiled a Brexit checklist with things you need to check before the deadline. 

Brexit checklist: Organisations in the UK that collect and/or receive EEA personal data

▢ Check if you are required to have an representative in the EEA 

▢ Mention EEA representative in website privacy statement 

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to one or more competent supervisory authorities in the EEA

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA 

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When receiving EEA personal data, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK

Brexit checklist: Organisations in the EEA that collect and/or receive UK personal data

▢ Check if you are required to have an representative in the UK

▢ Mention UK representative in website privacy statement 

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA 

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, so UK personal data can be freely received. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK 

Brexit checklist: Organisations with establishments in both the UK and EEA

▢ When your main establishment is in the UK, check whether it can be moved to EEA if you want to continue to benefit from having a single point of contact for privacy in the country of your main establishment (one-stop-shop mechanism)

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK 

Brexit checklist: Organisations outside the UK or EEA that collect or receive UK and/or EEA personal data 

▢ Check if you are required to have an representative in both the UK and EEA, or have to switch their location from one to the other

▢ Mention additional representatives or change in representatives in website privacy statement

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is no longer part of the EEA 

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules

PrivacyPerfect, is one of the first high-end privacy compliance software providers on the market. 

This article does not constitute legal advice.

The opinions expressed in the column above represent the author’s own.

Start managing your legal needs with Zegal today

BECOME A ZEGAL REFERRAL PARTNER

READ MORE: GDPR: What Are the Changes and How To Keep Your Business Up To Date

READ MORE FROM PRIVACY PERFECT: 8 GDPR Tips Explained Through Queen Songs

FURTHER READING: Schrems II ruling

Tags: brexit | data protection

Share

Like what you just read?


Subscribe to our newsletter and be the first to hear of the latest Zegal happenings, tips and insights!