The Information Commissioner (ICO) is calling on the UK’s businesses to check whether they are impacted by data protection law before the end of the UK’s transition period with the EU on 31 December.
Businesses and organisations that are affected need to take steps to ensure that data can continue to flow from the EU lawfully from 1 January.
The ICO is urging businesses to visit its website – ico.org.uk/keepdataflowing – to view guidance and resources on the actions they may need to take if they use personal data.
Research indicates that sharing personal data is essential to running the majority of SMEs. Any businesses receiving data from organisations in the EU or European Economic Area (EEA) must take action to ensure the flow of data doesn’t stop.
Personal data is classed as anything that relates to an identifiable individual and can relate to information about both customers and staff. HR records, customer details, payroll information and information collected through cloud services are all forms of personal data and could be affected.
Businesses are advised to continue complying with the Data Protection Act 2018 and General Data Protection Regulation (GDPR) and to prepare by understanding where the personal data they use comes from.
For most businesses and organisations, Standard Contractual Clauses (SCCs) are the best way to keep data flowing on EU-approved terms. The ICO website hosts an SCC Interactive Guidance tool to assist SMEs.
Businesses should also review their privacy information and any documentation to identify changes that need to be made at the end of the transition period.
As part of the negotiations, the EU is yet to make a decision as to whether it accepts that the UK’s data protection regime is still adequate. An adequacy decision is still possible but the timing is unclear.
“We appreciate there is a lot of pressure on businesses right now, especially given the impact of the pandemic. However, sharing personal data is essential to the running of many businesses and it is vital you take action to ensure that data can continue to flow,” Elizabeth Denham, Information Commissioner, said.
“As we don’t know what the outcome will be from the EU, there is an even bigger need for businesses to prepare now.”
“The ICO appreciates data protection can seem daunting to SMEs, which is why we have created a specific suite of products to help small businesses prepare. I encourage people to visit the ICO’s website to understand what steps they need to take and to keep up-to-date.”
SME Data Checklist
At the end of the UK’s EU exit transition period, there may be changes to personal data protection rules that could impact many UK businesses.
If your business falls into one of these categories, it is important to take steps before the end of the transition period:
- UK-based business or organisation that receives personal data from contacts in the EEA
- UK-based business or organisation with a European presence or customers
1. Take stock of the personal data you hold and map your data flows. You should establish if you are receiving personal data from the EU/EEA.
2. Put Alternative Transfer Mechanisms in place (most likely Standard Contractual Clauses). For most businesses and organisations receiving data from the EU/EEA, these are the best way to keep data flowing to the UK. To help navigate Standard Contractual Clauses, the ICO offers an SCC Interactive Guidance Tool to take you through the process.
3. Appoint a suitable representative in the EU/EEA. This may be applicable if your business is only based in the UK but offers goods or services to, or monitors the behaviour of, individuals in the EU/EEA.
4. Keep up to date. Information can change rapidly so stay informed.
Sign up to our newsletter to get the latest from Business Advice.