When we left the EU the UK ported over the GDPR rules and called it the UK GDPR. At least that was pragmatic and made sure there wasn’t another huge upheaval for business.
We had already created the Data Protection Act 2018 to tie into the GDPR rules in 2018, and this served to fill in the blanks left by GDPR for each Nation to fill in, and created specific criminal offences in the UK.
So what are the headlines for business post Brexit?
First, nothing has really changed. The same rules apply. We have been given Adequacy status (28 June 2021) in terms of data privacy GDPR rules so data can flow between us and the EU, but this status is subject to a fixed timeline of 4 years and our status may not be renewed and may even be withdrawn in this period if we do not keep close to the EU’s rules here.
2. International Personal Data Transfers
If you are using suppliers or systems based outside the UK then you have to still look at where they are based, and if outside a few approved jurisdictions (EU/EEA/Canada/ Argentina and a few smaller ones) then you need to check they have an approved legalizing document in place (if they are in the USA then that is problematic). They used to be called the EU Model Contracts or Standard Contractual Clauses. We adopted them, and they are still lawful to use for now, but the UK has now approved its own version called International Data Transfer Agreements. If you are UK based only then they should be ok, but if you are multi-national you may want to still use the EU versions.
3. The Appointment of a Data Protection Officer or EEA Representative
Some businesses still must appoint a Data Protection Officer, but all must have someone who is responsible for implementing the rules around personal data. A UK business that has subsidiaries or operations in the EU will have to appoint someone there to be their local DPO in effect.
Website owners still need to obtain consent from users to place non-essential cookies on their browsers. Simply put, users can and must be given the option to choose to accept or reject all non-essential cookies. Failing to do that gives each site visitor a claim. Moreover, UK businesses must update their privacy policies according to the UK-GDPR regulations to run alongside their cookie policy.
The UK government has consulted recently on possible changes to the rules, the results of which are widely awaited, although most of the proposed changes are not going to make much difference to most businesses.
Whether you’re a new business or still transitioning into the new regulation flow, you need to keep up with the latest UK-GDPR updates to remain compliant. Corporation Tax Rebates is the UK’s first tax recovery service based on data risk and compliance. Our team can help you mitigate financial and data risk through UK-GDPR compliance so you can avoid hefty fines, maintain credibility and protect your data.
Corporation Tax Rebates is the UK’s First Corporation Tax Recovery Service Based on Data Risk Compliance. If you have paid more than £20,000 in Corporation Tax in the last two to three years, we can help you claim the overpaid tax back. Our team can help you mitigate financial and data risk through GDPR compliance, relieving your business of these challenges and increasing the value of your business.