With one of the most unexpectedly eventful years coming to an end — and some optimism surrounding the vaccine — many are looking towards 2021 for a fresh start in a what is in some ways, a transformed world. But 2021 brings with it the end of the transition period for the UK departure from the European Union — and with it, new challenges as UK businesses negotiate its impact, especially when it comes to data.
We spoke to Peter Wright, Managing Director of Digital Law, to find out what companies need to do now to be ready for it.
What can you tell us about Data 2021 and the change in laws?
The laws relating to international data transfers from Europe to the UK will change at midnight on the 21st December 2020. This will impact any UK-based organsation that relies on personal data whose cloud providers are located in the European Union. Personal data can include anything from names, addresses, email addresses to details relating to clients, video footage audio recordings to the storage of voicemail and CCTV footage.
As a member of the European Union, this personal data was able to enter the UK freely from Europe. But once the UK has left the EU, these data transfers must be governed by a data transfer agreement that contains what’s called standard contractual clauses (SCCs) to have access to these servers.
And not every company has SCCs in their contracts with suppliers?
No. It was hoped that an alternative arrangement such as an ‘adequacy decision’ would be part of a free trade arrangement that the British government were pursuing. That’s whereby the European commission allows data to pass freely from countries outside of the EU that they believe offer adequate and compliant with EU laws around data protection. There’s a list of countries that the European commission has made an adequacy decision form, including countries like Japan and Canada where there are EU free trade deals in place. We had hoped this would have applied to the UK as well, which would mean companies wouldn’t have to have SCCs in place; but now it looks like it’s not going to be the case. Suddenly, the free flow of personal data becomes a problem.
And what are your concerns for companies?
There’s a concern that a lot of organisations have not seen this as a priority. So much of the news coverage has focused on the exportation of manufactured goods to Europe as the main issue around Brexit; that perception has been enhanced by the British government’s own website. As a result, many organisations in the service sector are jumping to the conclusion that Brexit is not going to be a problem for them. In fact, according to a recent survey by the Law Society of England and Wales, ¾ respondents felt that either Brexit did not apply to them or that they had taken all the necessary measures. But the British economy is incredibly service-based; we’re the second largest exporter of services anywhere in the world. And the laws relating to international data transfers from Europe to the UK are going to change, very soon — and it’s going to affect many of these companies.
What do companies need to do?
Individual organisations in the UK need to be able to prove to any data protection regulator in the UK and Europe that they have the right mechanism in place. All contracts, terms of service or data sharing agreements with 3rd parties covering the processing of any personal data, including audio or video recordings need to be reviewed to ensure that they contain the necessary SCCs. This can be a big job, and the time to start, if you haven’t already, is now. Or you might find yourself without access to this important personal data come January 1st 2021.
You can get in touch with Digital Law should you require any help with your own contracts — or to learn more about the risks and implications for your business.