Transferring of data from European Union to the United Kingdom.
The announcement from the EU Commission on Monday, 28th June 2021 that it has adopted two adequacy decisions for the UK which includes one under the GDPR, will come as a relief for many small businesses operating within Ireland and Europe.
It has been agreed that the UK is no longer considered a “Third Country” in the context of the General Data Protection Regulation. Therefore personal data may continue to flow freely between the EU and the United Kingdom, as the European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.
The level of protection of personal data is guaranteed to be essentially equivalent under UK law as it is under the EU GDPR. Therefore, no additional agreements are required when transferring data to Northern Ireland or other parts of the UK.
However, this is the first time that an adequacy decision includes a “sunset clause” which strictly limits the duration of the decision to four years. This will be renewed on condition that the UK retains an adequate level of data protection, and it may be withdrawn at any time if the UK can no longer demonstrate that its laws offer the same protections for EU citizens data.
This decision will come as a relief to many SME’s especially those working in IT and Finance where their businesses were utilising cloud-based services and data centres based within the UK. This was proving troublesome for many, particularly where employee data and payroll records were stored in the UK, as well as health data records.
The UK now joins 12 other countries with positive adequacy decisions from the EU, such as Switzerland, Canada and New Zealand.
The decision is not without controversary as some privacy experts and sceptics claim that elements of UK state surveillance is incompatible with the GDPR.
What does this mean for my business?
Irrespective of the adequacy decision for the UK, all businesses must still comply with the GDPR and the the key principles at the heart of the regime:
Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.
Purpose Limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.
Data Minimisation: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
Accuracy: Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage Limitation: Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability: Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance.
Data flow mapping under the EU GDPR
Businesses within Ireland may continue to transfer data to UK-Based service providers. To comply with the EU GDPR (General Data Protection Regulation), organisations need to map their data flows to assess privacy risks.
Data flow maps form part of your Article 30 documentation. They are also an essential first step in completing a DPIA (Data Protection Impact Assessment).
Join Our Mailing List
Once Monthly Webinar
Free Webinar Once Per Month
Our free webinar runs once per month and is available to anybody who wants to know more about getting started on the road to data protection compliance.