A Question Regularly Asked
This question is coming up nearly every day from our EU based customers and institutions, as well as UK clients. What happens to GDPR (General Data Protection Regulation) compliance when the UK leaves the EU?
For years we have marketed our business on the basis that we are a GDPR compliant business with top levels of data security, secure uploading facilities based solely in the UK (and hence part of the EU) and close adherence to all aspects of GDPR. We provide training to our staff on GDPR compliance. We are assessed every year for our GDPR compliance by an organisation called IASME, who provide us with GDPR accreditation to confirm that we adhere to the data protection regulations applicable to all 27 states within the EU.
UK GDPR and EU GDPR
The question about our compliance with GDPR once the UK leaves the EU is a very valid one, because of course (in theory) there will be nothing to stop the UK government at a later stage simply deciding that GDPR was a complete waste of time and getting rid of it with a weaker substitute. This may well happen in the future, but at the moment the UK has not diverged from the EU, and GDPR remains in force. When the UK leaves GDPR will simply become UK GDPR and align with EU GDPR for the time being.
Continued Voluntary Compliance
However, even if the UK government does set a series of divergent regulations that do not comply with the EU version of GDPR, this will not stop UK companies getting assessed and accredited every year for EU GDPR compliance in the same way we do now.
EU Client Base – Dublin Office
Due to the number of customers we have based in Ireland, France, Belgium, Denmark, Sweden, Germany and other EU countries, we have no intention of doing anything other than complying with the EU version of data protection, which means that every year from now on we will be EU GDPR accredited in the same way we are now. We also have an office and presence in Dublin and will be expanding our EU operations over the next few years from our Irish office.
Costs Increase, Red Tape Increase – thank you Brexiteers!
We anticipate the cost of GDPR accreditation increasing as more companies have to go through the process in order to maintain their EU customer base, but this will not be a problem for us as we are keen to continue our strong relations with the various organisations, companies and universities using our services across Europe. Furthermore it is very likely that companies operating in both the UK and the EU will have to comply with two sets of GDPR – the UK GDPR and the EU GDPR. So much for taking back control!
However, regardless of how far the UK eventually diverges from the EU GDPR, you can rest assured that using University Transcriptions and tptranscription.co.uk will remain a compliant, risk-free service for all potential clients in the UK, EU and EEA (European Economic Area). We work with clients around the world from our offices in Wales, England and Ireland and hold a whole host of different accreditations, maintain robust security systems and respect the collection of data. After all, we have been doing this for almost 20 years, so have a good pedigree in all aspects of data protection security. We will also be able to offer EU server uploads if required as well as our existing UK server uploads.
Government guidance on the new regime for GDPR in the UK can be found on the ICO website at https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/information-rights-at-the-end-of-the-transition-period-frequently-asked-questions/.
A summary of the information is below.
What happens now that the UK has left the EU?
During the transition period the GDPR will continue to apply in the UK. You should continue to follow existing guidance on the GDPR and monitor the ICO website for any developments in guidance during the remainder of the transition period.
What happens at the end of the transition period?
The GDPR will be brought into UK law as the ‘UK GDPR’, but there may be further developments about how we deal with particular issues such as UK-EU transfers. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review.
Do we need a European representative during the transition period?
No, during the transition period you do not need to appoint a representative in the EEA. However, you may need to appoint a representative from the end of the transition period if you are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.
Will the GDPR still apply when we leave the EU?
The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government has said that it intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.
The EU version of the GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.
The GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the GDPR.
What will the UK Data Protection Law be?
The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply. The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.