Leading law firm FBC Manby Bowdler has urged companies with EU customers to act now over imminent changes to GDPR rules.
The ending of the UK’s transition period on December 31 will mean changes to the way companies must handle data regarding customers in the European Union.
David Preece of FBC Manby Bowdler’s Corporate department, said it was vital that businesses with customers in Europe keep on the right side of data protection legislation when the UK’s exit from the European Union is complete on January 1 2021.
“Under the European Union’s General Data Protection Regulation – or GDPR as it is known – there are strict requirements for businesses processing personally identifiable information about individuals who live within the EEA, which comprises the countries within the EU plus Iceland, Liechtenstein and Norway.
“GDPR has continued to apply alongside the UK Data Protection Act 2018 during the transition period, but any UK business managing personal data relating to EEA citizens after December 31 will have to act in line with the requirements of Article 27 of the GDPR.
“This spells out the obligations for data controllers and processors outside the European Union and requires any organisation without a presence to appoint a personal representative.
“Even though GDPR will be retained in domestic law at the end of the transition period, we will no longer be part of the EU, so if you handle data relating to citizens in the EEA and your organisation does not have an office or representation within Europe, then you will have to appoint someone to fulfil that requirement.
“You need a provider in the EEA who offers services as a GDPR representative to act on your behalf with individuals and data protection authorities in the EEA.”
David said small to medium-sized companies were most likely to be at risk because larger organisations would probably have a base somewhere in the EU.
“You may have gone through all the hoops to manage compliance when GDPR was introduced in 2018, but you must check the position now, to be sure you are going to be compliant from January onwards. You also need to make sure your privacy information and documentation is all up to date and reflects any changes that may be required, such as around European-based representation.
“If any such breaches came to light, there is the potential of high fines from the Information Commissioner of up to ten million Euros or 2% of global revenues so it’s worth getting everything checked by a specialist.”
The Information Commissioner’s Office, or ICO, is the independent supervisory body for the UK’s data protection legislation and will continue in that role post-transition. The ICO website includes guidance for data processors on managing the departure from the EU, with an interactive toolkit to help organisations understand what they need to do to maintain a free flow of data to the UK from the EU.
And the guidance highlights that it’s not just organisations who are dealing with European citizens that need to know where they stand.
“Post-transition, the provisions of GDPR will be incorporated directly into UK law, to sit alongside the Data Protection Act 2018. Any organisation operating in the UK and processing data regarding UK residents must continue to comply with all related legislation,” added Mr Preece.
To contact David, please use the details provided below.