If you are a UK business or organisation that receives data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
- UK is committed to maintaining the high standards of the GDPR and the government has incorporated it into UK law (the UK GDPR) alongside the Data Protection Act 2018. UK businesses will be covered by the UK data protection regime.
- The UK government has stated that transfers to the EEA are not restricted. So if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.
- If a business or organisation in the EEA is sending you personal data, then it will still need to comply with EU data protection laws. Data can continue to flow whilst the bridge is in place. We recommend you put alternative safeguards in place before the end of April, if you haven’t done so already.
- For most businesses and organisations, SCCs (Standard Contractual Clauses) are the best way to keep data flowing to the UK. Use our SCC Interactive Guidance tool to help you.
- Take stock so that you can identify overseas data acquired before the end of the transition period (known as ‘legacy data’). Data you collected before the end of 2020 about people who were located outside the UK at the end of 2020 will be subject to the EU GDPR as it stood on 31 December (known as the ‘frozen GDPR’). You may use the latest information you have about where people were living, up to 31 December 2020. Personal data acquired since 01 January that is processed on the basis of the Withdrawal Agreement (for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement) is also subject to the frozen GDPR.
- Make sure you review your privacy information and documentation to identify any minor changes that need to be made at the end of the transition period.
- Keep up to date with the latest information and guidance.