It’s official, the UK is no longer part of the European Union and the transition period is rapidly coming to a close. What does this mean for data protection? Do businesses still need to comply with the GDPR after December 31st 2020?
For those businesses who operate within the European Economic Area (EEA) and record their phone calls, they must check that their protection of voice data is sufficient for a post-Brexit world. If data is processed in the UK, they must ensure that they have contractual provisions in place to reflect any flow of data between the EEA and the UK. Any preparations need to consider the progress of negotiations that are continuing during this current transition period. GDPR may well remain part of UK law.
What legislation currently applies?
Parliament has passed The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which is basically the GDPR but applicable to a UK-only context. This will apply from the end of the transition period. If you’re a business based outside of the UK and offer goods or services to or monitor individuals in the UK this is applicable to you. If you’re a UK business and you’re already compliant with GDPR, and you don’t have any customers or contacts in the EEA, then you’re already sorted…or are you?
Any data protection plans are contingent on an adequacy decision from the European Commission, where the European Commission decides whether the UK offers an adequate level of data protection. With a rewrite of UK data protection laws potentially on the horizon, an adequacy decision could be significantly delayed. If no adequacy decision is made, businesses may need to amend their current contracts in order to continue data transfers. The extra cost of this undertaking could be bad news for small businesses.
What happens after the transition period?
From January 1st 2021, the UK will be deemed a “third country” under the GDPR, which means personal data from the EEA will only be able to be transferred if:
- The European Commission issues an adequacy decision
- Appropriate safeguards are in place
- There is an agreement of approved codes of conduct
- There is certification under an approved certification mechanism together with binding and enforceable commitments on the receiver outside the EEA
If you’re a UK business that receives personal data from contacts in the EEA, you will need to take extra steps to ensure that this data transfer can still go ahead. If you’re a UK business with some form of presence or customers in the EEA, you’ll have to comply with both the UK and EU legislation and may even have to appoint a European Representative. You will need to implement an appropriate mechanism to transfer personal data from the EEA to the UK and any onward transfers to another third country. Several of these mechanisms are already laid out in the GDPR, including standard contractual clauses adopted by the European Commission (SCCs).
Organisations should be able to continue transferring data from the UK to the EEA, but data protection documentation and contracts will require updating.
Businesses that transfer data from the UK to countries outside the EEA should be able to continue with existing processes for now, but any reforms of UK data protection laws could change that. The really tricky part is transferring to and from the US. This is due to the EU/US ‘Privacy Shield’ agreement being declared invalid by the EU Courts. This means yet more contract updates and appropriate safeguards.
What is Dubber doing to prepare for Brexit?
Dubber already complies with GDPR and will ensure that we continue to do so after the transition period, whether or not the UK is considered an adequate third country.
Let us know if you have any questions about voice data and Brexit.