Does this section apply to us?

This section is of interest to all UK businesses and organisations whose processing of personal data is currently subject to the EU GDPR

What are the key points?

  • Privacy notices – the information required in your privacy notice is unlikely to change. You may need to review your privacy notice to reflect changes to international transfers, review references to your lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR, and to identify your EU representative (if you are required to have one).
  • Rights of data subjects – as a reminder, if the UK GDPR applies to your processing of personal data, it doesn’t matter where in the world the individuals whose data you process are located.
  • Documentation – the information required in your record of processing activities is unlikely to change. You may need to review it to reflect changes regarding international transfers. If you have chosen to record the lawful basis or conditions for any of your processing, you need to review any references to “union law” or other terminology changed in the UK GDPR.
  • Data Protection Impact Assessments (DPIAs) – existing assessments may need to be reviewed in the light of the UK GDPR; for example, if they cover international data flows which on exit date become restricted transfers. [LINKS]
  • Data protection officers (DPOs) – if you are currently required to have a DPO, on exit date that requirement will continue, whether under the UK GDPR or the EU GDPR. You may continue to have a DPO who covers the UK and EEA. The UK and EU GDPRs will both require that your DPO is “easily accessible from each establishment” in the EEA and UK.
  • Codes of conduct and certification  the EDPB is working on guidance regarding codes of conduct and certification, and how those schemes may be used for transfers. We do not expect there will be any codes of conduct or certification schemes which are authorised before exit date. The ICO’s work on introducing codes of conduct and certification schemes within the UK will continue after the UK has left the EU.