Brexit Checklist For Data Protection.

Updated: Dec 31, 2020











On Dec 31st, 2020, the clock strikes zero for the Brexit transition period. Unless the EU and UK can strike a deal on privacy within the limited time that is left, the UK will become a third country for the member states of the European Economic Area. This has several consequences in the area of privacy. To help you during this time of uncertainty, we have compiled a Brexit checklist with things you need to check before the deadline.


Brexit checklist: Organisations in the UK that collect and/or receive EEA personal data


▢ Check if you are required to have an representative in the EEA

▢ Mention EEA representative in website privacy statement

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to one or more competent supervisory authorities in the EEA

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When receiving EEA personal data, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK


Brexit checklist: Organisations in the EEA that collect and/or receive UK personal data


▢ Check if you are required to have an representative in the UK

▢ Mention UK representative in website privacy statement

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, so UK personal data can be freely received. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK


Brexit checklist: Organisations with establishments in both the UK and EEA


▢ When your main establishment is in the UK, check whether it can be moved to EEA if you want to continue to benefit from having a single point of contact for privacy in the country of your main establishment (one-stop-shop mechanism)

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA

▢ Check the register of processing activities for UK-EEA data streams and account for the UK being a third country for the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is a third country and no longer part of the EEA

▢ The UK considers the EEA adequate countries, to which data can be freely transferred. When sending EEA personal data to the UK, check if there are transfer mechanisms (such as SCC) in place.

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules as well as the adequacy status of the UK


Brexit checklist: Organisations outside the UK or EEA that collect or receive UK and/or EEA personal data


▢ Check if you are required to have an representative in both the UK and EEA, or have to switch their location from one to the other

▢ Mention additional representatives or change in representatives in website privacy statement

▢ Check all notices, website privacy statements and internal policies for the correct references to the UK and/or EU GDPR. Which one depends on the location of data subjects

▢ Check whether you have to report your DPO to the ICO and/or competent supervisory authorities in the EEA

▢ Check whether additional data transfer agreements need to be put in place or existing agreements changed now that the UK is no longer part of the EEA

▢ When relying on BCR with the ICO as lead supervisor, see the EDPB information note on whether you need to change anything

▢ Monitor possible future deviations between the UK and EU privacy rules


PrivacyPerfect, is one of the first high-end privacy compliance software providers on the market.



Founded in 2013, Zegal is the fastest growing LegalTech company operating across Asia Pacific and Europe. Today, business users and lawyers across the globe trust Zegal’s software to solve legal problems in an affordable and efficient way.

Zegal is led by a talented team of 60 employees and has offices in Hong Kong, Singapore, Nepal, Australia, New Zealand, and the UK.

Zegal has been featured in the New York Times, Forbes, and Huffington Post, and was recently recognised in the South China Morning Post as an emerging LegalTech company in the artificial intelligence space.


#brexit

Register here for your monthly Asia legal updates