Following the UK leaving the EU, the looming end of the transition period at the end of the year and the challenges that we have all faced this year with Covid-19 you would have been forgiven for not paying attention to the impacts that a No-Deal Brexit has in regards to the GDPR and your business.
What’s the law under a No-Deal Brexit?
Legally the GDPR is going to be incorporated directly into UK law with the UK GDPR which will work alongside the data protection act. But how does this affect working with European based clients, customers, suppliers or your own staff?
When transferring data between the UK and EU, such as where you are providing your goods or services to a client in the EU, you will need to comply with the GDPR’s rules and safeguards for international transfers.
Without a deal the UK will not be able to rely on a determination of Adequacy. An adequacy decision is where the EU Commission determines that a country’s data protection laws are to a standard which ensures the security of European individual’s personal data. Currently the EU has determined the adequacy of countries such as Switzerland, Guernsey, New Zealand, Japan and Canada.
When dealing with a client or supplier in these countries and personal data is involved the fact the EU considers them adequate means that there are no additional terms, procedures or rules in place. In practice it is seamless.
Unfortunately without a deal and with no indication of a deal coming it appears that we will unable to rely on a forthcoming adequacy decision and therefore need to implement another safeguard.
Actions to take to comply with the law from January 2021
The best safeguard for SMEs, from an ease and cost effectiveness viewpoint, to implement is the incorporation of Standard Data Protection Clauses. These, also known as SCC, are standard terms which are approved by the European commission and there are four types dependent upon the situation.
The best action for businesses to take between now and January 2021 is to ensure that these terms are incorporated with all of their EU based customers and clients. Where there is an existing contract in place then the best way forward may be through adding them to the original contract through an addendum. Alternatively the best way forward, and certainly the best way in regards to new customers and clients, is by incorporating the SCCs into your current terms with EU based entities.
Should you need assistance with making these amendments to your current terms or, correctly and legally having these incorporated into current agreements, then please contact me by email or telephone with the details below.
The alternative safeguards range from Binding Corporate Rules, which are internal rules ensuring multinational businesses apply the same standard of data care worldwide, to approved industry Code of Conducts which were newly introduced under the GDPR. There are, however, still no approved code of conducts and therefore it is unlikely that you could rely on these before the end of the Brexit transition period.
Where there isn’t a safeguard available to you then there are certain exceptions which could apply. The important two are where the individual has explicitly consent to the transfer or where the transfer is strictly necessary but occasional rather than routine.
The issues which apply to the above safeguards, other than SCCs, or exceptions is that they can be particularly onerous or niche. Gaining the consent of each individual before processing their data requires addressing this directly with the person whilst Binding Corporate Rules need to be approved and such approval is extensive, costly and time consuming.
The best way forward
Devoid of leaving the EU with a deal that includes an adequacy determination it is likely that the best course of action to ensure your business is compliant and does not fall foul of the GDPR is to ensure that SCCs are incorporated and form part of your terms with EU based parties.
We can help with these changes and ensure that you can continue trading with Europe and should you wish to discuss this or makes these changes then you can get in contact here: [email protected] or 01273 447 072.
News
Selling your business is one of the biggest decisions a business person can make. Handing over “your baby” is always going to involve mixed emotions and a lot of considerations – not least the kind of buyer you want to take over the business. An option we have seen some clients explore is selling to a private equity investor as opposed to a more “traditional” sale.
News
In an era where technology is reshaping industries, businesses are finding themselves at the crossroads of innovation and responsibility. As a forward-thinking law firm, we understand the transformative power of Generative Artificial Intelligence (A.I.) and how this can be integrated into a business and its current practices. We are also aware of the potential grey areas and pitfalls working with A.I. may have, and why it there may be a critical need for businesses to implement comprehensive A.I. policies.
News
Business owners and employees alike should be prepared for what to expect when expecting in the workplace as redundancy and maternity laws are changing.
Check us out on social
