My last article, EU and UK data protection bridge, was published on 24 June 2021. At that time, we were uncertain whether the European Union would grant the UK a finding of adequacy. It turned out that the decision was made only a few days later, on 28 June 2021.
The good news is that the UK did get the adequacy finding we needed. The wobbly bridge between us has been replaced!
The new data protection bridge covers two areas:
- EU GDPR
- Law Enforcement Directive
Barring any upsets, both findings last until 27 June 2025.
However, there is one exception, as the new data protection bridge doesn’t cover certain categories of immigration data.
This article tells you more.
The finding of adequacy
The finding of adequacy means that the EU is prepared to treat the protections of personal data that are available in UK law as being equivalent to those available in the EU. Therefore, data controllers are allowed to send and receive personal data to and from the UK and EEA as if we were still part of the EU, without needing additional onerous protection beyond that which is provided by the Data Protection Act 2018 which is now referred to as UK GDPR.
In practice, this means that personal data flows between the UK and the EEA can continue as they did before Brexit until 27 June 2025, with just that one exception to do with immigration data.
Disclaimer: Of course, this assumes that your business was handling the processing and transfer of personal data properly even before Brexit. If you are rusty on the details of what you’re supposed to do, then please check.
There are two types of immigration data that fall outside the finding of adequacy.
- When a data controller is processing data for the purpose of maintaining immigration controls. The key bodies this applies to are likely to be the Police and Home Office (and you, if your business is about managing immigration investigations).
- When a data controller is processing data for the purpose of investigating or detecting activities that would undermine the effectiveness of immigration control. This may apply to businesses from time to time, for example, if you are required by the Home Office or Police to provide information about any of your staff, such as the expiry of a work permit or leave-to-remain.
Because this data is outside the finding of adequacy, passing it to EEA countries or receiving it from them means additional safeguards are required to satisfy European legislation.
There is always quite a detailed assessment required about whether any particular data needs these extra controls. In this article, I am not suggesting how you analyse this, I am simply advising that you need to exercise additional caution when you handle immigration-related data that you might need to pass to the Home Office or Police.
Where data falls into these categories, different rules apply even under UK GDPR. For example, if an employee makes a data subject access request, they might not be entitled to the usual response, and you might be required to limit your response to matters other than immigration data. Again, this is something to be aware of.
Otherwise, the news is good that the bulk of personal information that most businesses would send or receive to and from EEA countries won’t require any new processes. But you should always make sure you keep up-to-date and comply with whatever the existing processes maybe.
I have recently assisted a number of clients to respond to data subject access requests. I’ve been reminded how much hard work is involved in practice, and how important it is to have policies and procedures in place so you can simply follow them step by step – it is much harder to deal with the request in the timeframes allowed if you are also trying to work out what to do at the same time.
As always, if you need help with any of this, please give me a call.