By Sián Fields for Reynolds Attorneys.
The global data protection landscape is complicated and confusing to follow at times. The main piece of legislation dealing with data protection worldwide is the GDPR and most other localised pieces of legislation follow the principles of the GDPR to qualify for an adequacy ruling to enable the free flow of personal data to and from such country and the EU.
On 1 January 2021, the UK formally and effectively left the European Union in terms of Brexit. The UK is now considered to be a territory outside of the EU. As a result, the EU-GDPR no longer applies to the UK which impinges on the free flow of data.
As a result, the UK adopted the UK GDPR which closely aligns to the EU GDPR. The UK GDPR is a regulation that amends the piece of legislation applicable prior to the GDPR becoming law, namely the UK Data Protection Act of 2018.
The new UK GDPR is nearly identical to the EU GDPR. However, it is independent UK legislation governed and enforced by the UK data protection agencies and does not influence EU authorities. It does however facilitate the free flow of data following adequacy decisions from the UK in respect of the EU GDPR and from the EU in respect of the UK GDPR.
Transfers of data from the UK to third countries (i.e., outside of the EU) are addressed by the UK government, which confirmed UK organisations can rely on the same transfer mechanisms as under the EU GDPR, i.e., adequacy decision, appropriate safeguards, and exceptions.
On 2 February 2022, the Secretary of State in the UK laid before the UK parliament the international data transfer agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) and a document setting out transitional provisions.
If no objections are raised, they come into force on 21 March 2022. Data exporters will use this IDTA and Addendum instead of the Standard Contractual Clauses under the EU GDPR when exporting personal data to a third country. They also take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.
The IDTA and Addendum replace the current standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.
The IDTA and Addendum form part of the wider UK package to assist international transfers. This includes independently supporting the government’s approach to adequacy assessments of third countries, including the ability of the UK government to make independent adequacy decisions.
The implications for this are that local businesses wishing to import data from the UK and the EU will now have to pass adequacy decisions with both the UK and the EU regulators. It is therefore important to understand where your data is flowing from and to, in order to ensure that you do not unintentionally fall foul of international and potentially local data privacy laws. You will need to make sure you have the right to receive data from the territory it is being exported from as well as potential export the data yourself as part of a transaction.
What does this mean in practice?
If you are processing personal data in terms of a services agreement with an entity in Europe (be it the EU or UK) you will most likely be a data processor and not a data controller (operator and responsible party in terms of POPIA). As such your main obligations are as follows:
- Security: you must implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. For more information please read our guidance on security.
- Notification of personal data breaches: if you become aware of a personal data breach, you must notify the relevant controller without undue delay. Most controllers will expect to be notified immediately, and may contractually require this, as they only have a limited time in which to notify the supervisory authority. You must also assist the controller in complying with its obligations regarding personal data breaches. For more information please read our guidance on personal data breaches.
- Notification of potential data protection infringements: you must notify the controller immediately if any of their instructions would lead to a breach of the EU or UK GDPR or local data protection laws.
- Accountability obligations: you must comply with certain EU and UK GDPR accountability obligations, such as maintaining records and appointing a data protection officer.
What must I do now:
- Ensure you have sufficient data security policies implemented internally and that all staff are bound to comply with these policies.
- Ensure you have a breach notification process including relevant template forms in place.
- Ensure you have appointed an Information Officer (as required by POPIA) and have sufficient data retention and storage policies in place.
Please contact us if you are concerned that you do not have the required policies and processes in place and we can assist with a gap analysis and the drafting of the required policies and processes.