In preparation for the end of the Brexit transition period of 31st December 2020, the Information Commissioner’s Office (ICO) has released guidance for businesses which handle personal data of EEA citizens.
While the General Data Protection Regulations (GDPR) will remain in effect after the Brexit transition ends subject, as it is retained in domestic law, changes to the framework may see it diverge from EU regulations from 2021. If someone in the EEA sends personal data to someone else who is outside the EEA, they must comply with GDPR rules on international transfers of personal data. The EEA includes all EU member states, plus Iceland, Liechtenstein and Norway.
The ICO has developed an interactive tool for small and medium sized organisations in the UK who need to ensure a smooth flow of data between the UK and EEA nations, such as customer, employee or supplier records. In these instances, businesses will require a contract to be in place and the ICO tool can help to build these agreements in line with EU standards.
The Wilmslow-based organisation has also published comprehensive guidance for small- and medium-sized enterprises on its website.
If the transition period ends before the EU Commission makes an adequacy decision about the UK, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same after Brexit.
More in-depth guidance has also been published for larger organisations which employ a Data Protection Officer with specific responsibilities for data protection.