On January 31, 2020, at 11pm GMT, the United Kingdom officially left the European Union. This official parting of ways followed a June 2016 vote that took place in the UK and Gibraltar. Since that day, the UK-EU membership referendum has been dubbed the Brexit (British exit) referendum, or just simply “Brexit.”
Following Brexit Day, the uncertainty over how the UK-EU relationship will proceed has led to some confusion among organizations working in, or with, the UK and the EU.
At Proxyclick specifically, we’re getting questions from our UK- and EU-based customers on how (or if) Brexit affects them in regards to the General Data Protection Regulation (GDPR), an EU regulation on data protection and privacy.
Allow us to break it all down for you with 5 important questions:
1. Now that the UK has left the EU, does GDPR still apply?
We’re now in what’s being called the Brexit transition period, which runs through December 2020. During this time, according to a January 29 statement by the UK’s Information Commissioner’s Office (ICO), it’s “business as usual for data protection.” The ICO is a non-departmental public body that reports to Parliament, set up to uphold information rights.
So yes, GDPR will continue to apply - for now. During the transition period, all businesses that process personal data should look to the ICO’s guide to data protection and Brexit for further advice. It’s also important to note that “during the transition period, companies and organizations that offer goods or services to people in the EU do not need to appoint a European representative” (see: ICO’s Brexit FAQs).
After the transition period, however, that could change for companies operating in the UK.
2. Do Proxyclick customers need to make changes related to retaining visitors’ data in the EU?
At this moment, no. Throughout the transition period, changes shouldn’t be necessary.
Take note, however, that our software allows users to select how long they retain individuals’ data. Should organizations need to make retention period changes in the future to remain compliant with data privacy laws in the UK, these changes can be applied in Proxyclick’s data privacy settings. If companies operate in multiple locations, such as in the EU and the UK, they can adapt the retention period independently.
3. What will happen to GDPR after the Brexit transition period?
Good question. This depends on negotiations that take place during the transition period. By default, according to the ICO, GDPR will be brought into the UK as the “UK GDPR.” This would coincide with The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors GDPR in the UK. If you operate within the UK, you’ll need to be sure to comply with UK data protection law.
“The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.” - Information Commissioner’s Office (ICO)
If you still operate in Europe, or offer goods or services to individuals in Europe, the EU version of GDPR may also still apply to you.
4. What’s the best way to stay updated on the post-Brexit data protection landscape in the UK?
As with many major break-ups, there’s still a lot to be discussed. Further developments may occur while officials decide on certain issues like UK-EU transfers. The ICO will still remain the independent, supervisory authority for businesses operating in the UK; continue to look to them regarding the UK’s data protection legislation.
Worried? Fear not. As the year goes on, we all should come to better understand the data protection situation between and within the UK and EU. At Proxyclick, we’ll be monitoring key decisions and changes made, and will keep you informed alongside the ICO.
5. How can you make sure your visitor management system is GDPR-compliant in the meantime?
Whether data privacy laws change in the UK after December 2020 or not, we repeat: GDPR is still the data privacy law you’ll need to comply with in the UK and EU (for now).
At Proxyclick, GDPR compliance has always been, and still remains, an integral part of our offering. We take data protection very seriously, and allow companies to customize privacy settings to meet their multi-location needs.
To that end, we've compiled the following list of steps to follow to maintain a GDPR-compliant visitor management system:
We've also published the following resources on GDPR visitor management:
For more information, check out our full GDPR guide to compliant visitor management systems.
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.