For higher or for worse: 2020 is shortly coming to an finish. Because of this the tip of the Brexit transition interval can also be simply across the nook.
On December 31, 2020, the post-Brexit transitional preparations between the EU and the UK will expire. Nevertheless, the EU GDPR will probably be retained in UK home regulation (with solely minimal modification) within the so-called “UK GDPR.”
Regardless of the similarities between the UK GDPR and the EU GDPR truth, many organizations will nonetheless have to think about a number of key areas in relation to compliance with these two items of regulation.
Key areas that may should be thought of from January 1, 2021 onwards from a Brexit-related information safety perspective are:
- Addressing new restricted transfersTransfers to the UK from the EEA (and vice versa) will change into so-called “restricted transfers,” which would require a switch mechanism (e.g., reliance on a related adequacy resolution, execution of applicable Customary Contractual Clauses, and many others.).
- New representativesMany organizations might want to take into account whether or not they’re obliged to nominate UK representatives below the UK GDPR.In some instances, this requirement might be along with the duty to nominate an EU consultant below the EU GDPR. For instance, this will probably be related for UK organizations who goal items or companies at, or monitoring the behaviors of, information topics within the EU, however who haven’t any presence within the EU.
- Lack of one-stop-shop protectionsThe UK ICO can not be a lead supervisory authority.Because of this organizations who had recognized the UK ICO as their lead supervisory authority will lose the advantages/protections of the EU GDPR’s one-stop-shop regime (except they impact a fabric restructuring of their information processing operations – i.e., shifting their fundamental institution to an EU member state).
- Updates to documentationOrganizations should make a number of updates to information safety‑associated documentation (most notably privateness notices, information processing addenda and comparable contractual preparations, and inner insurance policies and data).For instance, adjustments will probably be required to deal with:
- That the UK is not a member state of the EU and not occasion to the post-Brexit transitional preparations
- That the EU GDPR not has direct impact within the UK and has been changed by the UK GDPR
- That transfers to the UK from the EEA (and vice versa) represent restricted transfers that require an acceptable authorized foundation (e.g., execution of applicable Customary Contractual Clauses)