HR Support & Focus – GDPR: What Lies Ahead For Your Business? | Plus C2S Member Offer From Willans

Business Support • Online • In Print • In Person

HR Support & Focus – GDPR: What Lies Ahead For Your Business? | Plus C2S Member Offer From Willans

The Brexit transition period may be over, but there is still plenty for businesses to think about, including whether your data protection and privacy processes are compliant and fit for purpose.

Consultant at Willans LLP solicitors and Chief Privacy Officer at Willans Data Protection Services, Kym Fletcher outlines some of the big post-Brexit GDPR issues you should be aware of. Furthermore, read on for details of an exclusive offer for Circle2Success members.


Is personal data still allowed to flow freely between the UK and EU?

The agreed Brexit Treaty allows for personal data to flow freely between the UK and the EU (and EEA) for a four month period, extendable to six months. So, in this respect, the status quo will not change for another few months.

Information Commissioner, Elizabeth Denham, said “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”

The ICO adds “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.”

The reason for this is, although it is hoped that following this period the UK’s data protection laws will be formally deemed ‘adequate’ by the European Commission, allowing free data flows in both directions, this is by no means certain, and the proposal faces opposition in certain quarters.

Four to six months is not a long period of time if you need to put operational changes in place. It would be wise to start preparing now if you haven’t already.


What is an ‘EU representative’ and do I need to appoint one?

The UK is now outside of the EU, so it is regarded as a ‘third country’. Many UK companies will need to have an ‘EU representative’ in place to act as a direct contact for the individuals whose data they are processing, and also data protection supervisory authorities in the EEA.

You will need an EU representative if your business does not have offices or branches in the European Economic Area (EEA) and you are offering goods or services to individuals in the EEA, or monitoring their behaviour through e.g. targeted advertising or data ‘profiling’, and are holding or processing their data for those purposes. This has become a requirement for UK businesses as of 1 January 2021, and for businesses in the rest of the world it’s been a requirement since 2018. Find out if you should have an EU representative. If you do need one, various data protection services organisations can act on your behalf, such as our sister company Willans Data Protection Services.


What is a supervisory authority and has this changed for the UK after Brexit?

Every organisation which falls under the scope of the GDPR is subject to a supervisory authority – an independent public authority founded by each member state to uphold information rights and privacy policy.

The so called “one stop shop” principle provides organisations with just one authority to report a breach, to communicate with and to be investigated by, even if they are processing personal data about individuals in a number of EU member states.

As of 1 January 2021, the ICO remains the UK’s independent authority overseeing data protection and privacy policy in respect of UK GDPR but has ceased to be considered a “supervisory authority” under the EU GDPR.

Organisations which might be based in the UK but carrying out data processing activities via a related entity in the EU now have an opportunity to consider which supervisory authority they would like to be regulated by from now on, and how to adapt their data processing activities so that they can be regulated by their preferred EU supervisory authority.


Do I need to change my .eu domain name?

As of 1 January 2021, UK companies and individuals are no longer eligible to hold an .eu domain as these can only be registered or held by EU citizens, EU member state residents or organisations established in the EEA.

It would be advisable to check if your business has any .eu domains and to address this now.


How can I get support with GDPR and data protection issues for my business?

The data protection group in law firm Willans LLP provides organisations with wider advisory services concerning GDPR compliance, such as:

· GDPR audits

· drafting policies

· preparing legal documentation and bespoke legal advice.

Our sister company, Willans Data Protection Services is founded by legal and data protection experts Matthew Clayton and Kym Fletcher, who are recognised by the world’s largest global information privacy community. It provides organisations operating on a multi-national basis with EU and UK Representative solutions, outsourced Data Protection Officer services and training solutions under the GDPR.


C2S member offer | 15-minute GDPR consultation from Willans

C2S members will also be able to benefit from a free 15-minute GDPR consultation from Kym Fletcher, one of Willans’ data protection legal experts.

Ex-City lawyer Kym has over 25 years’ experience in advising businesses on a wide range of commercial legal matters. A specialist in GDPR and data protection, Kym is also a certified member of the International Association of Privacy Professionals. For information on how to book your 15-minute GDPR consultation with Kym, please visit this page to access the C2S member offer.