The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It was brought into UK law by the Data Protection Act 2018. It replaced the Data Protection Act 1998. The new regime imposed additional obligations on data controllers who process personal data and provided enhanced rights to data subjects concerning their personal data.
Personal data is any data that can identify a living individual(“the data subject”) either from the data itself or by other data held by a controller. Processing covers any use of personal data. A controller is a party that decides how personal data is being processed.
The majority of businesses in Northern Ireland are SMEs. They will be controllers for data protection legislation purposes if they process personal data, i.e., customer contact details, email addresses, etc.
The UK has exited the EU. The transition period ends on 31 December 2020. When the transition period expires, GDPR will be retained in domestic law, but the UK will have the independence to keep this under review. UK GDPR will have an amended version of the Data Protection Act 2018. The Government has already set out its planned amendments.
Post transition key principles concerning data protection as well the rights and obligations will remain. For a business which trades only in Northern Ireland with only local customers and no intention to trade in the EEA, the burden of compliance will be much less. As a minimum, it will need to consider registration with the UK Information Commissioner’s Office is required. It will also have to check that all formal documents are amended to make it that the UK is no longer a member state of the European Union and no longer party to the transitional arrangements. EU GDPR will no longer have a direct effect and will be replaced by UK GDPR. Relevant documents may include data protection policies and procedures, privacy notes, data processing and data sharing agreements. Changes should be in place by 1 January 2021.
The impact on businesses who trade in the EU will be larger. This will apply to any UK controller which has an establishment in the EEA, customers in the EEA or monitor individuals in the EEA. In addition to implementing or amending contractual documents, those businesses will also need to consider:
- Any transfers of personal data between UK and EEA will be considered a “restricted transfer,” i.e., they are no longer considered a safe transfer and will require a lawful mechanism, i.e., an adequacy decision by the UK/EEA or the adoption of adequate safeguards such as standard contractual clauses. Businesses will need to check their arrangements in relation to transfers within the EEA and may need to amend contractual arrangements.
- Appointing an EU representative under EU GDPR
Small businesses are already dealing with the consequences of a pandemic. Resources are strained and are being used on priorities. However, regulatory obligations under data protection legislation have not been suspended during COVID 19. Businesses that process personal data must comply. There can be significant penalties for non-compliance, especially when it results in a data breach.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. For advice or information, please contact our Data Protection team at Cleaver Fulton Rankin.