EU GDPR – will this affect your business?
Remember the introduction of the General Data Protection Regulation (GDPR) that overhauled data protection rules a couple of years ago and required lots of changes to how individuals’ data was stored and processed?
Since the end of the Brexit transition period on 31 December 2020, UK businesses now have two versions of the GDPR to take into account – the UK GDPR and the EU GDPR.
The UK GDPR applies to businesses that offers goods or services to individuals in the UK, or that monitor the behaviour of individuals in the UK. The EU GDPR applies to businesses that offer goods or services to individuals in the European Economic Area (EEA), or that monitor the behaviour of individuals in the EEA.
Therefore, even though the UK has now left the EU, UK-based businesses that carry out the above activities in relation to EEA residents are still caught by the EU GDPR.
According to the Information Commissioner’s Office (ICO), the key principles, rights and obligations currently remain the same in both the UK GDPR and the EU GDPR. However, there are some differences, for example in relation to international transfers of personal data.
The current rules
The UK Government had previously confirmed that, at the end of the transition period, transfers of personal data from the UK to the EEA would continue to be permitted. However, the EU Commission had not given the same assurances concerning personal data to be transferred from the EU to the UK. Fortunately, on 28 June 2021, the EU Commission confirmed that the UK was deemed to provide an adequate level of data protection. Transfers of personal data can therefore continue between the two territories in the same way as before.
Are there other major changes?
The EU GDPR requires businesses processing personal data of individuals in the EEA who do not have a base in the EEA, to appoint a representative in the EEA or EU state where some of the individuals whose personal data is being processed are located.
The representative will act as a local point of contact for the business that they represent. They will be required to communicate with individuals and authorities in relation to compliance with the EU GDPR and deal with any supervisory authorities or data subjects.
The representative can be an individual, a company or an organisation. A simple service contract is suggested by the ICO when appointing a representative.
The business must then give the representative’s details to any EEA based individuals whose personal data are being processed. This could be achieved by including these details in a privacy notice. It could also be published it on the business’s website so that the supervisory authorities can access the information.
It is important to remember that the business will still be required to comply with its other obligations under the EU GDPR; appointing a representative does not relieve a business of its responsibilities regarding data protection.
There are some exceptions; you don’t have to appoint a representative if you are a public authority or your processing is only occasional, of low risk to the data protection rights of the individual and does not involve the large-scale use of special category or criminal offence data.
Rob Eakins, Solicitor
t: 07585 357238
w: Web Profile