logo

Insight: The EU Has Until Spring to Address the UK’s Non-EU Personal Data Protection Practices.

Many years on from the European Union Referendum of 2016, the UK government signed its trade deal on Christmas Eve 2020.

In the aftermath of the Brexit deal, what effect will the UK’s current status have on international data protection, and in turn employment screening and background checks?

At 23h00 31 December 2020, there was a risk the UK would fall off a data protection cliff, left in limbo with a lesser status (as far as data protection is concerned) than other international states such as Uruguay and Canada, or even the Isle of Man. These countries are part of the 14 non-EU countries afforded ‘adequacy status’ for data protection.

In the absence of the UK having this status, the UK would be treated as a ‘third country’ and any EU member state wishing to transfer personal data to the UK will need to ensure there are ‘appropriate safeguards’ in place to ensure the secure transfer of that data.

As a leading supplier in employment screening and background checks, Vero Screening pre-empted this in respect of its clients and suppliers in the EU, inviting our clients to propose standard contractual clauses. For our wider client-base falling within the EEA, we expect the same.

The good news is, the UK has temporarily stepped back from the cliff edge.

Until the end of Spring of this year, as the EU will, in the short-term at least, still treat the UK as having appropriate safeguards in place to ensure the secure processing of personal data, pending its decision on adequacy status.

This is because, whilst no longer an EU member state, the UK adopted the GDPR (UK GDPR & Data Protection Act 2018) , with equivalent data protection legislation to the other 27 membership holders.

Information Commissioner Elizabeth Denham commented: ‘“This is the best possible outcome for UK organisations processing personal data from the EU.

“This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.

“We will be updating the ICO guidance on our website to reflect the extended provisions and ensure businesses know what happens next. At this stage it’s good news for businesses and public bodies.”

In a few months’ time this will be no longer assured, and recent statements about the way the UK has interpreted the GDPR for the police and security services casts this in some doubt. The EU and the UK now have a few months of transition to address the issue.

Click here to see more from the ICO on these changes.

in News, Regulation by