Included in their deviation from the European Union, the UK is set to make major modifications to their data privacy laws as well. How is the British government planning to implement the policies in the new UK GDPR after Brexit?
Post- Brexit GDPR scenario
The EU GDPR ceased to directly apply in the entirety of the United Kingdom and its jurisdiction after 31 December 2020. After the Brexit, the Data Protection Act (DPA) 2018 continued to apply in the UK to fit local accommodations which we know now as the UK GDPR.
Culture Secretary Oliver Dowden said in a statement that UK’s official independence from the EU can be an end to the ‘irritating cookie popups and consent requests online’. He asserts that the rules should be based on ‘common sense, not box-ticking’. This is further buoyed by the new leadership of John Edwards in the Information Commissioner’s Office (ICO) as well, saying that ‘the UK is about to develop a world-leading data policy that will deliver Brexit dividends for individuals and businesses across the country.’
The EU-UK Trade Cooperation Agreement (TCA) not only covers terms of products, services, and immigration. It also yields the data protection measures of both parties for the years ahead.
The TCA included a grace period from 1 January to 30 June 2021 at the onset of the post-Brexit phase. This is to make time for adjustments in the data processing to and from the EU and UK, and vice-versa. In this temporary reprieve in the new General Data Protection Regulation (GDPR) agreement, the European Union also landed with an adequacy decision about UK’s data protection laws.
The EU adequacy decision
The European Commission has adopted the provisions under GDPR and the Law Enforcement Directive while ensuring the appropriate TCA imposition that basically covers legal matters of data protection. Take a look at some of its key elements:
- UK’s post-Brexit ecosystem is fully grounded on the principles, rights, and obligations of GDPR and the Law Enforcement Directive.
- The UK government asserts a strong safeguard in the collection of personal data by public authorities, notably for national security reasons. An authorisation from a judicial body is needed before they can proceed to the collection of data.
If and when an individual finds that they have been subject to unlawful surveillance, they can take it up to the Investigatory Powers Tribunal. The UK is subject to the European Court of Human Rights and is therefore required to comply with the Council of Europe Convention for the Protection of Individuals regarding the Automatic Processing of Personal Data.
- The EU adopted the adequacy decision for the UK on 28 June 2021 with a sunset clause meaning the deal is set to last for four years. In its expiry in 2025, the renewal of the deal is not automatic. Instead, it undergoes another adequacy process to assess if the UK can still guarantee the same level of data protection.
Without this provision, the transfer of data from the European Economic Area (EEA) to the UK would be subject to the EU’s rule in data transfer for third countries.
- The adequacy decision about the transfers for UK immigration control is excluded on the scope to reflect a recent judgment of the England and Wales Court of Appeal about the validity and interpretation of data protection restrictions in the area.
What’s new in the UK GDPR?
UK’s GDPR is a word-per-word mirror of the EU version with alterations on any EU references in the law (e.g. EU Commission, EU Parliament, EU Court of Justice) and other marginal modifications the British government deems appropriate. It’s still substantially containing the same rights.
The UK now has the power to expand on and diverge from the previous GDPR they adhere to. Amendments to the law have been published by legislation.gov.uk. Take a look at some of the updates in the UK GDPR regulations:
- Child consent is lowered to 13 years old;
- There is a more restricted definition of personal data;
- Consent must be freely given and provided with clear affirmative action;
- Genetic and biometric data are now included under special categories of data;
- Subjects can request deletion of data;
- Data processors and data controllers both have statutory obligations;
- There exists an exemption in the processing of personal data under the grounds of public interest; and
- The maximum fine for breach is increased to £17 million.
What does the new UK GDPR mean for accounting firms?
For accountancy organisations in the UK, a new framework for data protection parallels new paperwork and compliance. But since EU’s and UK’s GDPR is almost the same, you only have to watch out for the said marginal changes.
As primary data handlers, you are being held accountable for protecting the sensitive data of your clients. The GDPR is their safeguard that processing of their information is done under the law. Accountants, data controllers, and data processors must present evidence that their subjects explicitly gave their consent to capture and process their data, with a clear purpose on why it is needed and how the info will be managed.
GDPR compliance checklist for accountants
Documenting the processing activities is now required under the new GDPR. This is to make sure you are fully compliant with their data protection law.
See here the mandatory documents for GDPR compliance as per the ICO.
- For controllers of personal data, document all applicable information under Article 30 (1) of UK GDPR.
- For processors of personal data, document all applicable information under Article 30 (2) of UK GDPR.
- All processing activities should be documented in writing.
- Documentation of processing activities is done by linking together different pieces of information.
- Conducting regular reviews of the personal data you process and updating the documentation accordingly.
For best practices, you should:
- Audit the information to know what personal data your firm is handling
- Familiarise yourself with the in-depth processing routine
- Review policies and contracts to make the best solutions for security and data sharing
- Documenting of processing activities in electronic form for easier removal and amendment of the information.
- Part of the processing activity is to document the following:
- information required for privacy notices;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- Data Protection Impact Assessment reports; and
- records of personal data breaches.
You can read more about them on the ICO’s page.
We remain to see how UK’s departure from the union will affect its data protection policies over the course of the years. The proposed overhaul of the UK GDPR after Brexit is still in talks, and the ICO has continuous negotiations with the EU about data transfer between the two parties.
In the interim, you need to make sure your organisation is well-compliant with the tighter security measures in the UK. It’s going to be a time-consuming responsibility, so why not let us take care of your finance and accounting processes?
Learn more about our bespoke back-office accounting outsourcing solutions that fully grasp and comply with the GDPR regulations today. Grab your copy of our latest whitepaper D&V Philippines’ Solutions for Modern Accounting Firms today to know how we can add value to your F&A services or talk to our account managers about your accounting needs.