The Brexit Transition Period may have ended, but not all post-Brexit arrangements have yet been finalised, including data protection for businesses that trade between the UK and the EU. Safeguarding your business’s data – and the personal information of your customers, suppliers, and employees – is one of your key responsibilities as a business owner or data controller.
Under the Transition Deal, which was finalised in late December 2020, it was agreed that data transfer can continue to flow between the UK and the European Economic Area (which includes all EU member states, plus Norway and Switzerland) until 30th June 2021 without restriction (known as ‘the bridge’). If your business receives personal or health-related data from a country in the EEA, it is advisable to implement safeguards by the end of April to insure against interruptions to the flow of personal data once ‘the bridge’ ends.
The EU-wide GDPR was incorporated into UK law in 2018 and is now effective as the UK GDPR. This is a UK-specific regulation that forms part of the Data Protection Act 2018. While the requirements are similar to the EU GDPR, businesses should update their GDPR documentation to ensure it aligns with UK GDPR, particularly Article 30 records, DPIAs, privacy notices, and Subject Access Requests, which should reflect the UK’s independence. If your business trades with companies or individuals in the EEA, the EU GDPR is an ongoing requirement.
UK GDPR is regulated by the Information Commissioner’s Office (ICO) for UK transactions. However, the ICO has no jurisdiction over EU states, so personal data exchanged with EEA member states is governed by regulators in the EU. You may need to appoint an EU representative if your business offers medical goods or services to people in the EEA.
Northern Ireland, as part of the UK, is subject to the UK GDPR. No special arrangements have been implemented.
Infringements of the UK GDPR or EU GDPR are potentially serious. The maximum fines that may be levied are £17.5m/€20m or 4% of annual global turnover. For this reason – and the reputational damage to your brand – ensuring you work with compliant businesses when processing, handling, or disposing of data is vital.
At CAS, we’re committed to full compliance with the Data Protection Act 2018 and UK GDPR. As specialists in the provision of document storage, archiving, and disposal, we’ve taken steps to ensure we understand the implications of the UK’s exit from the EU and can assist your business to fulfil its legal obligations, too. Our document retention schedule, for example, outlines for how long different types of documents should be retained.
We can also destroy redundant material to protect against accidental or malicious data leaks. Our double shredding service comprehensively destroys unwanted paperwork and IT asset disposal ensures the safe disposal of data storage devices in line with UK GDPR and Waste Electrical and Electronic Equipment (WEEE) regulations. To find out more about our services, feel free to get in touch on 0845 50 50 003.