Naq Cyber: Goodbye GDPR, hello data protection act
As of the 1st January 2021, the UK is now a third country under the EU GDPR legislation. This means that the GDPR is now no longer applicable to UK registered businesses.
However, the UK has already incorporated the entire GDPR legislation into UK law with the Data Protection Act 2018 and the UK-GDPR (which is a UK version of the GDPR with some small changes). This means that all parts of the GDPR are still applicable to UK businesses, but now under the Data Protection Act (DPA) and not the GDPR.
If you’re subscribed to the Naq service, you will soon have access to updated GDPR documentation that reflects the change away from the EU-GDPR to the UK-GDPR and Data Protection Act.
Here are the key points you need to know:
nothing is changing (for now)
The treaty signed in December 2020 between the UK and the EU allows for data to flow freely between the UK and EU member states and the EEA (as was the case last year and previously) until an adequacy decision has been made. This arrangement will last for no more than six months.
only have uk data? then only worry about the uk data protection legislation (dpa and uk-gdpr)
If you never transfer personal data from or to the EU or EEA, or hold any data about EU nationals, then you only need to worry about the UK Data Protection Act and the UK-GDPR. The equivalency decision will have no impact on you.
data transfers from uk to eu/eea: no problem
The UK government has stated that they recognise adequacy between the DPA/UK-GDPR and the EU-GDPR which means there are no restrictions to sending UK personal information to EU/EEA organisations (as long as they themselves conform to GDPR of course).
uk to non eu/eea: needs some extra safeguards
For UK to non EU/EEA member state data transfers, Brexit hasn’t changed anything. The situation stays the same but does require some extra safeguards. If you need to transfer data from the UK to a non UK or EU/EEA country, you will need to implement some extra safeguards (this includes currently the United States). The easiest way to do this is through Standard Contractual Clauses (SSCs). The UK government has agreed adequacy with some countries including Argentina, Canada, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand and Switzerland. This means that transfers to these countries will not require SSCs.
eu/eea to the uk is where it gets tricky
If the UK Government and the EU decide that the UK-GDPR has adequate safeguards to allow for an adequacy decision with regards to the EU-GDPR, then things can carry on as normal. If adequacy is not granted by the EU, you will need an SSC for every country of nationality for any data subjects. Naq will be providing UK-GDPR compliant SSC templates and advice on how to use them very soon.
do you have eu customers? you need an eu representative
If you offer goods or services and/or monitor the behaviour of EU nationals in the EU/EEA then you need an EU representative which is registered in the EU or EEA. This representative needs to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located (e.g. if you have Dutch customers you need a Dutch representative, if you have Dutch, French and German customers you need to have a representative in Holland, France or Germany). The requirements for a representative are set out on the ICO’s website. In case (some of) your data subjects are located in the Netherlands, Naq Cyber BV (the Dutch parent company of Naq Cyber UK Ltd), is able to act as your representative in the EU. If you have Dutch data subjects and would like us to be your EU representative, please let us know. If your customers are not located in The Netherlands we will help you find a suitable party to act as your representative.
We appreciate that this is a confusing time when it comes to the GDPR and data protection. However, as Naq has both UK and EU registered businesses and our management is both British and Dutch (not to mention our resident GDPR lawyer) we will guide you through the process and keep you updated and legally compliant.
As always, if you have any questions do not hesitate to get in touch.
