Data Protection – post BREXIT update

On 25 May 2018, the Data Protection Act 2018 came into force and represented the UK’s adoption of the EU’s General Data Protection Regulation (GDPR).

As this Act fully implemented the requirements of the GDPR and was considered to be adequate by all EEA countries prior to BREXIT, a reasonable person might have believed that this would automatically continue after the UK left the EU. But that was not the case. As could only happen when a megalithic bureaucracy is involved, the EU did not recognise the UK’s data protection laws at the end of the transition period in December 2020 – indeed there was some talk that they were in some way deficient!

Since then, discussions have been under way on a couple of areas of concern to ATEB and our readers, namely financial services and data protection. It looks extremely unlikely that the EU will grant ‘equivalence’ to UK financial regulations, despite those also having been in lockstep with EU regulations for years. There is, however, better news on data protection.

On 19 February 2021, the European Commission published its draft UK adequacy decisions. Those adequacy decisions are now with the European Data Protection Board (EDPB) who will, in due course, deliver an opinion to the European Commission and representatives from the EU member states. (Did we mention bureaucracy already?) If adopted these decisions will allow for continued free flow of personal data from the EU into the UK as a ‘third country’.

The ‘new’ situation

Restricted transfers from the UK to other countries, including to the EEA, are now subject to transfer rules under the UK regime. These UK transfer rules broadly mirror the EU GDPR rules, but the UK has the independence to keep the framework under review.

The rules include provisions permitting the transfer of personal data from UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’. The listed third party ‘countries’ whose data protection is considered adequate are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The UK government has the power to make its own ‘adequacy decisions’ in relation to third countries and international organisations. In the UK regime these are now known as ‘adequacy regulations’.

There are also provisions which allow the continued use of any EU Standard Contractual Clauses (‘SCCs’), valid as at 31 December 2020, both for existing restricted transfers and for new restricted transfers (see here). There should always be a formal agreement in place between firms sharing data or to whom data is transferred.

Data sharing within a group of firms

Many firms have subsidiaries or are owned by another firm. Care needs to be taken when sharing data ‘within’ the group. Data sharing can apply even where data is shared between firms that are part of the same group of firms. So, the rules on sharing may need to be followed. A useful test is whether firms have (or should have) their own data controller registration with the ICO but there is further guidance in the ICO data sharing code of conduct. That can be found here and provides a pretty good list of all the things that should be considered.

In brief, any ‘third party’ with whom data will be shared must be specifically named on the privacy notice as a potential recipient of shared data, or prior to the sharing of any data with that third party. Then there should be an appropriate contract in place between the principal company as data controller and the secondary firm as data processor (see here). This should specify a lawful basis for sharing and also the safeguards and standards to be implemented.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

For information. ATEB can help firms to create a robust and compliant data protection process.

Action Required By You

Firms that share data or that transfer data outside the UK should note the points listed here and obtain further detail as required from the ICO website.
SUIT - Beautiful Reports
SUIT - Complete Control
SUIT - Comp confidence
previous arrow
next arrow

About the Author

Technical Manager - Often referred to as the Oracle or the Sage, Alistair has a wealth of financial services experience. He is our go-to Technical Manager and enjoys nothing more than a complicated conundrum. Feel free to test his renowned knowledge by getting in touch.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in