On 25 May 2018, the UK implemented the General Data Protection Regulations (GDPR) under the Data Protection Act 2018 – a requirement as a member of the European Union (EU) to create a common standard of data protection across the European Economic Area (EEA).
A benefit of being an EU member state was the ease with which employers could transfer personal data, such as payroll and HR records, between the UK and the EEA. Now the UK is no longer an EU member state but has implemented GDPR, does Brexit create any potential issues for employers’ workforce data processing obligations?
Let’s take a look
Identifying your workforce data flows
To understand any implications, employers will need to revisit their data flows to identify any cross-border transfers of employee personal data.
For UK employers with employees based solely in the UK, there should be few implications.
However, UK employers with employees in the EEA may need to take additional measures to ensure workforce data flows can continue from the EEA to the UK. For example, if an employer’s UK-based HQ houses its HR function, the employer will likely be transferring workforce data from the EEA to the UK.
Why are these additional measures needed?
For data flows from the EEA to another country outside the EEA, the European Commission (EC) must be satisfied that country has an adequate data protection regime. If it does not, any employer wishing to transfer personal data from the EEA to that country must put in place additional safeguards to protect the privacy of that personal data.
With the UK leaving the EU and sitting outside the EEA, it needed an adequacy finding from the EC for personal data to flow freely from the EEA to the UK. As we counted down to the end of the Brexit transition period on 31 December 2020, the EC still hadn’t made an adequacy finding.
Thankfully, the trade and cooperation agreement reached by the UK and the EU shortly before Christmas included a six-month grace period. This allows data transfers from the EEA to the UK to continue until adequacy decisions are agreed, provided the UK’s current data protection regime continues.
Businesses therefore breathed a collective sigh of relief as data transfers could continue uninterrupted.
It should be noted that transfers of personal data from the UK to the EEA can continue without additional measures being put in place. This is because the Information Commissioner’s Office has confirmed that on a transitional basis, members states of the EU and EEA are all deemed adequate to allow data flows from the UK.
What actions should you consider taking now?
The good news is that the EC has recently published its draft UK adequacy decision under GDPR. However, this must still be ratified by the European Data Protection Board and a committee of EU member states before the adequacy decision is formerly adopted.
Employers should therefore now put in place additional safeguards to prevent any interruption to their businesses arising from the transfers of workforce personal data from the EEA in case no adequacy finding is made when the six-month grace period ends on 30 June 2021.
Those safeguards might include:
- binding corporate rules between group companies, or
- standard contractual clauses where data is being transferred from third parties.
If you need any help with your legal obligations concerning transfers of workforce personal data, please contact Charlie Barnes.