The Department for Digital, Culture, Media & Sport has released guidance for using personal data in your business after the end of the transition period.

Legal framework

  • The EU General Data Protection Regulation (GDPR) requires organisations to be accountable for the personal data they hold.
  • Personal data is any information that can be used to identify a living person, including names, addresses and HR data such as payroll details.
  • GDPR will be retained in UK law after the end of the transition period alongside the Data Protection Act 2018.

International data transfers

  • Where the European Commission recognises that a third country’s data protection regime provides adequate protection, personal data is allowed to flow freely between the European Economic Area (which includes the EU) and the third country.
  • In the absence of a determination of adequacy, businesses and organisations must have alternative transfer mechanisms in place to keep data flowing from the EEA.
  • The UK is working with the EU to secure adequacy decisions.
  • There are currently no changes to the way you send personal data to the EU.

Take Action

  • With just weeks to go, the EU has yet to make a decision as to whether they accept that the UK’s data protection regime is still adequate.
  • If you receive personal data from the EU/EEA, prepare now to keep data flowing lawfully from 1 January 2021, whatever the EU decides.

Steps your business needs to take

  • You should take stock of the personal data you hold prior to January 2021.
  • If you receive data from the EU/EEA, you should map your data flows and put in place alternative transfer mechanisms with any relevant EU/EEA organisations.
  • You can put in place safeguards by incorporating standard contractual clauses. Search ‘keep data flowing’ on the ICO’s website for more help.

Personal data provisions in the Withdrawal Agreement

  • Without adequacy decisions in place, the personal data protection provisions of the Withdrawal Agreement will come into effect. These require certain ‘legacy’ personal data you may hold to be protected in line with EU data law (in its end of transition period state).
  • Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) processed in the UK before the end of the transition period or subsequently on the basis of the Withdrawal Agreement.
  • You will need to familiarise yourself with these requirements to ensure you are in a position to comply.

Further guidance

  • Visit the UK guidance on using personal data in your business or other organisation after the transition period.
  • Visit the ICO guidance, including an interactive SCC tool, or call the helpline on 0303 123 1113.