UK GDPR After Brexit
The obligations of companies in the UK with regard to compliance with personal data protection laws have changed slightly since 1 January 2021. What you should pay attention to depends on what your company does, where it is based, and whether it processes personal data of individuals residing in the UK or also in the EU.
All companies based in the UK still have an obligation to register with the Information Commissioner’s Office and pay the Data Protection licence fee (unless exempt), as well as comply with UK-GDPR personal data protection laws.
All companies in the UK should check their records regarding the processing of personal data in the company and:
- Change the references of legal basis from GDPR to UK-GDPR.
- If they send or receive personal data from other entities operating in the European Union countries, they must ensure the legality of data transfers (additional consents, protections, SCCs [standard contractual clauses]).
If you are a company based in one of the EU countries but process personal data of individuals residing in the UK (you have clients, suppliers, or your business involves monitoring people’s behaviour in the UK), you must appoint a UK representative. They will have the same obligations as an EU representative described above and will represent you in matters related to personal data subjects and the ICO – the UK government unit responsible for overseeing compliance with personal data protection laws in the UK.
If your organisation processes the personal data described above but does so only sporadically, it may be exempt from the obligation to have its own representative in the EU or UK, but must provide evidence to confirm this circumstance.
If you have any doubts about whether your documentation is compliant with the new legal state in the UK, please contact us.