Data, data everywhere … now what?

1 January 2022 marked the one year anniversary of the end of the Brexit transition period. Perhaps predictably, one year on, some things are indeed different, but a lot of things are very much the same.

In the wonderful world of data protection, you would be forgiven for believing that everything is pretty much the same now as it was pre-Brexit. The UK version of the GDPR is almost identical to the original EU version of the GDPR. The PECR, which sits alongside the GDPR and regulates electronic communications, including things like digital/online marketing, continues to apply in the UK as it did before Brexit. And, importantly, the UK adequacy decision (i.e. the decision of the European Commission acknowledging that UK data protection law is broadly aligned with EU data protection law) avoided the need for additional/special safeguards (such as standard contractual clauses or ‘SCCs’) when transferring personal data between the EU and the UK (at least for now, see below).

However, there are a few things that have changed, which may have slipped under the radar.

First, any UK-based data controller who handles personal data relating to EU data subjects must appoint a representative in the EU. In other words, if your UK business handles names, email addresses, or other identifiable information of customers, suppliers, or workers based in the EU, you must appoint an EU representative. The appointment of the representative is a simple exercise (although it must be documented in writing), but failure to do so could have serious/expensive consequences. In one case involving a Canadian website, the failure to appoint a representative resulted in a fine of €525,000 (although it’s likely that the hefty fine reflected non-compliance in a number of other areas). There are identical mirror obligations on EU-based data controllers who handle personal data relating to UK data subjects to appoint a representative in the UK.

Second, the old EU versions of the SCCs have been repealed, with effect from 27 September 2021, and replaced with the new EU versions of the SCCs. In the EU, there are now four versions of the SCCs (controller to controller, controller to processor, processor to processor and processor to controller), whereas in the UK there are still only two versions (controller to controller and controller to processor). However, the UK is also planning to replace the current UK versions of the SCCs with a new international data transfer agreement or ‘IDTA’ (currently in draft form). In other words, these changes have led to further divergence between UK and EU data protection law.

Third, between September 2021 and November 2021 the UK Government ran a consultation on reforms to the UK data protection regime. This consultation set out almost 150 pages of proposed amendments to the UK GDPR. Whilst some such amendments to the UK GDPR may be positive (e.g. if they simplify the data protection regime in Britain and make it easier to navigate for businesses and individuals), substantial deviations from the EU GDPR may put the UK adequacy decision at risk. In other words, if the UK GDPR strays too far from the EU GDPR, the European Commission may revise its earlier decision and conclude that UK data protection law is no longer broadly aligned with EU data protection law (which could lead to further costs/obstacles if additional safeguards are required to transfer personal data between the EU and the UK).

In summary, if the last time you thought about data protection was May 2018 when the GDPR first came into force, 2022 is the year for a data protection refresher. In particular:

· Check that you have appointed a legal representative in the EU (if applicable);

· Review your contracts to ensure that any SCCs are correct and up-to-date (if applicable); and

· Review things like your website privacy policy, your internal data processing record, your data breach register and your data processing agreements.

Our team are specialists in data protection law and practice. If you would like to arrange a free consultation with one of our lawyers, please get in touch with us on 020 7096 2779 or info@briffa.com.