Life after Brexit: key changes in legislation for data
GDPR
The European General Data Protection Regulation came into effect in May 2018 and was designed to protect individuals’ data from unauthorised use or disclosure and invasions of privacy. The GDPR will no longer apply in the UK in its current form, albeit the Data Protection Regulations 2019 effectively introduce the ‘UK GDPR’ into national law, supported by the Data Protection Act 2018. In short, it means that businesses will continue to need to comply with the GDPR’s requirements albeit under a different regulation.
There are also new regulations that apply to businesses that are based in the UK, but don’t have a base or office in another EU or EEA state, yet still trade with, offer services to or monitor the behaviour of individuals in the EEA. In this instance, the business may be required to appoint a representative in the EAA to act on its behalf regarding EU GDPR compliance. The representative must be based in a country where some individuals whose data the business is processing are located and the business must provide details of the representative to both individuals and supervisory authorities. This could be, for example, in your privacy policy and on your website so it is publicly available. It also means that businesses that trade with Europe are subject to both the UK and EU GDPR requirements and could, in a worst-case scenario, be subject to enforcement action in more than one country.
Action: have you updated any policies and references to GDPR in your documentation and on your website? Have you appointed an EEA representative and updated your policies and website accordingly?
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.