GDPR: UK businesses must now comply with two sets of legislation
Laws surrounding the use of data between the UK and the EU have changed following the end of the Brexit transition period, meaning UK businesses must now comply with rules in both territories.
The EU General Data Protection Regulation (GDPR), which came into force in 2018, requires organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of individuals within the EU.
However, the UK’s GDPR regulations are now separate from the EU’s GDPR regulations, following the trade deal which came into effect on 1 January, meaning there are now two data protection legislations instead of just one; UK GDPR covering individuals in the UK and EU GDPR for individuals in the EU. Businesses holding both types of data, will now need to adhere to each of the two separate legislations.
The UK is now officially considered a ‘third country’ under the EU GDPR, meaning that UK businesses serving EU consumers will need to comply with both the UK and EU GDPR measures.
Michael Begley, managing director of venuedirectory.com, who has followed the updated legislation, said many people in the events industry were unaware of the changes. “I'm in regular contact with venues, agencies and planners across the UK and many are currently unaware of the impact of Brexit on UK GDPR and EU GDPR, and the action they now need to take to ensure their business continues to operate legally," he said.
“There are some simple and immediate steps that organisations should take in order to address data protection regulations and ensure that events can continue once the world opens up again. To support our industry on the road to better business I've partnered with data protection expert Arvi Virdee from Smartec to launch a series of short and focused webinars to guide them through this challenge."
There are two actions that meetings and events organisations now need to take, Begley noted. "Firstly, UK companies which hold data for the EU now need to review and update their existing data sets. This is to determine which proportion is EU data (and therefore subject to EU GDPR regulations); which is UK data (subject to UK GDPR regulations) and which data falls outside of both of these categories, for example, data sets for those based in America or Asia.
"Secondly, UK businesses need to appoint a representative within the EU to deal with any queries. These could be queries around a data breach or a data subject access request. This representative should reside in any one of the 27 EU countries, and therefore be in situ to deal with requests from individuals, companies or authorities."
UK businesses need to appoint an EU representative only if they do not already have a branch or office in the EU. If they do, this branch or office would act as the representative, although privacy notices would need to be updated to this effect.
UK law also now requires EU companies who hold UK data to have a representative in the UK, and EU based companies need to review and separate their data sets to determine which is now subject to UK GDPR regulations.
Begley added: “Event professionals should act now, using this current time when meetings and events are currently on hold, in order to ensure they’re fully prepared and have the correct elements in place in order to do business again.
“Having access to the right information and support is crucial and I hope to provide support through a series of forthcoming webinars.”
Begley said that to help educate the industry, Venuedirectory.com will be running a series of webinars to inform those in the in the MICE sector of the impact Brexit will have on UK and EU GDPR.
Venuedirectory.com also announced that it has partnered with managing director of Smartec, Arvi Virdee, to produce the webinars. The Effect of Brexit on UK - EU data webinar will be taking place on 17 February at 2pm GMT and 18 February at 10am GMT. Register for the event here. Registration is free.