On January 31, 2020, at 11pm GMT, the United Kingdom officially left the European Union. This official parting of ways followed a June 2016 vote that took place in the UK and Gibraltar. Since that day, the UK-EU membership referendum has been dubbed the Brexit (British exit) referendum, or just simply “Brexit.”
Following Brexit Day, the uncertainty over how the UK-EU relationship will proceed has led to some confusion among organizations working in, or with, the UK and the EU.
At Proxyclick specifically, we’re getting questions from our UK- and EU-based customers on how Brexit affects them in regards to the General Data Protection Regulation (GDPR), an EU regulation on data protection and privacy.
We sat down with our Privacy Specialist, Anne-Michèle Goris, to break it all down for you with 4 important questions.
1. Does GDPR still apply in the UK?
No, as from the 31 December 2020, the EU GDPR does not apply in the UK anymore.
However, and with effect from 1 January 2021, the former UK DPA 2018 and the EU GDPR were merged and amended to form a new UK specific data protection legislation, which is also known as the UK GDPR.
The UK GDPR is relatively similar to the EU GDPR, with only a few differences. The ICO, the UK supervisory authority, provides many guidance and resources for organizations, but the main takeaways are summarized below.
The most important differences between the EU GDPR and the UK GDPR are the following:
The definition of personal data is more limited in the UK GDPR than in the EU GDPR;
The processing of criminal data, for which the UK GDPR does not require official authority, in contrary to the EU GDPR;
The automated decision making is allowed under the UK GDPR subject to legitimate grounds, in contrary to the EU GDPR where data subjects have rights to refuse it;
The data subject access rights can be waived under the UK GDPR if they significantly constrain an organization’s legitimate need to process data for scientific, historical, statistical and archiving purposes, which is not the case under the EU GDPR;
The fines go up to £17.5 million under the UK GDPR, in contrary to the EU GDPR, where the maximum fine is €20 million or 4% of annual global turnover of the organization.
As a consequence of the UK not being subject to the EU GDPR anymore, UK organizations must verify whether they should:
Appoint an EU representative: If a UK organization offers goods or services to, or monitors the behavior of, EU individuals, and does not have an establishment in the EU, it might have to appoint an EU representative;
Identify a lead supervisory authority in the EU: It must be assessed whether an EU supervisory authority may act as the organization’s lead supervisory authority;
Update contracts governing EU–UK data transfers: For now, data transfers from the EU to the UK can continue without implementing additional measures. This is a consequence of the new four-month transitioning period for EU-UK data transfers, which started on 1 January 2021, and which can be extended with another two months.
Update policies, procedures and documentation, such as privacy policies, data processing registers and DPIAs, that reflect all relevant changes.
Note: Any UK organization that offers goods or services to, or monitors the behavior of, EU residents will still have to comply with the EU GDPR.
EU organizations that offer goods or services to, or monitor the behavior of, UK individuals, and that do not have an establishment in the UK, might have to appoint a UK representative.
2. Do Proxyclick customers need to make changes related to retaining visitors’ data in the EU?
At this moment, no.
In the next few months, we will follow closely any decisions that will be taken in relation to the data transfers between the UK and the EU.
Also note that our software allows users to select how long they retain individuals’ data. Should organizations need to make retention period changes in the future to remain compliant with data privacy laws in the UK, these changes can be applied in Proxyclick’s data privacy settings.
If companies operate in multiple locations, such as in the EU and the UK, they can adapt the retention period independently.
3. What’s the best way to stay updated on the post-Brexit data protection landscape in the UK?
As with many major break-ups, there’s still a lot to be discussed. Further developments may occur while officials decide on certain issues like EU-UK transfers.
The ICO will still remain the independent, supervisory authority for businesses operating in the UK; continue to look to them regarding the UK’s data protection legislation.
Worried? Fear not. As the year goes on, we all should come to better understand the data protection situation between and within the UK and EU. At Proxyclick, we’ll be monitoring key decisions and changes made, and will keep you informed alongside the ICO.
4. How can you make sure your visitor management system is GDPR-compliant in the meantime?
At Proxyclick, GDPR compliance has always been, and still remains, an integral part of our offering. We take data protection very seriously, and allow companies to customize privacy settings to meet their multi-location needs.
To that end, we've compiled the following list of steps to follow to maintain a GDPR-compliant visitor management system:
We've also published the following resources on GDPR visitor management:
For more information, check out our conversation on GDPR and data privacy in the pandemic era with thought leaders from around the globe, below.
You can also check out our full GDPR guide to compliant visitor management systems, below.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.