It’s been over a year since we published our last article about Brexit, and it goes without saying that a lot has changed since then! This time around, we will be taking a look at what Brexit means for GDPR law and how it affects businesses operating in the United Kingdom and Europe.
The Brexit transition period ended on December 31st, 2020, and while the EU GDPR no longer directly applies to the UK, it was adopted as domestic law along with several amendments to ensure it can be applied in the UK. This amended version, commonly known as ‘UK GDPR’, now governs the processing of data within the United Kingdom. As outlined here in the ICO’s FAQ for the end of the transition period, other rules such as PECR and NIS will continue to apply in the United Kingdom.
But what does this mean for businesses? According to a recent article from Osborne Clarke, “Both the EU GDPR and the UK GDPR have extra-territorial effect, and businesses need to think about the impact which the two regimes will have on their data flows, records of processing, contracts, policies and procedures, along with requirements to appoint EU data protection representatives.”
Do you have a legal translation project? Contact us!
Who is affected by these changes?
Many businesses will be subject to both GDPR regimes, as both the EU and UK GDPR law have extra-territorial reach. So, if you have offices in both the EU and UK, for example, you would be subject to both regimes. Although the EU GDPR and UK GDPR are largely parallel, they remain separate, and businesses will therefore need to be prepared to comply with both sets of data protection regulations.
Contracts
One of the immediate changes resulting from the adoption of the UK GDPR regime is that many organizations will need to update their contracts and policies. Osborne Clarke’s report on the topic mentions that “the expectation is that the ICO will approve a new set of standard contractual clauses in due course, which are likely to replicate and align with the new draft standard contractual clauses published by the European Commission in November 2020.”
When one thinks of new contracts and policies, paperwork is probably the first thing that comes to mind! For a business with European and British offices, this could mean multiplying that stack of paperwork if you need to translate these documents for each country where you have operations. Our expert legal translation team is ready to support you throughout the process, offering 24/7 availability and a quote within an hour.
What other updates may need to be made?
Depending on their circumstances, it’s possible that companies will have additional regulatory responsibilities. For example, in the coming months, organizations may need to appoint separate Data Protection Officers for the EU and UK. Companies should also ensure that their records, privacy policies, and contracts are updated to reflect the UK’s position outside the EU.
What’s next?
In the weeks leading up to Brexit, there was a great deal of uncertainty about what a ‘no deal’ Brexit could mean for GDPR and organizations that need to transfer data between the EU and UK. The EU still needs to decide whether the UK offers an adequate level of data protection, but fortunately the EU-UK Trade and Cooperation Agreement (TCA) implements an interim solution that gives the EU more time to make its decision. The agreement has effectively made it lawful to transfer data for a period of up to six months, beginning on January 1st, 2021. As DLA Piper concluded in their report about EU-UK data transfers, “the commitments that have been made, alongside the six-month bridging period in the trade agreement, will be welcome news to business and should give sufficient confidence to anticipate adequacy will be resolved shortly.” On the other side, the UK has already confirmed that it considers EU member states to be adequate and that data flows can continue without any additional amendments. This is good news for European and British businesses alike.
To conclude, while the GDPR regimes in the EU and UK are largely similar, there are still a few points to keep in mind with regards to data protection policies and procedures. If your business requires assistance with the translation of any legal documents, please contact us and we will be pleased to help.