The laws surrounding the use of data between the UK and the EU changed after the end of the Brexit transition period, which means UK businesses now have to comply with the rules in both areas.
The EU General Data Protection Regulation (GDPR), which came into force in 2018, requires organizations to take data protection measures when they either offer goods and services or monitor the behavior of people within the EU.
However, following the trade agreement that went into effect January 1st, the UK GDPR rules are now separate from the EU GDPR rules, meaning there are now two data protection laws instead of just one; UK GDPR for people in the UK and EU GDPR for people in the EU. Companies that have both types of data must now comply with each of the two separate pieces of legislation.
The UK is now officially a “third country” under the EU GDPR, which means UK companies serving EU consumers must comply with both UK and EU GDPR measures.
Michael Begley, managing director of venuedirectory.com, who has been following the updated legislation, said many people in the events industry were unaware of the changes. “I am in regular contact with venues, agencies and planners across the UK and many are currently unaware of the impact Brexit is having on the UK GDPR and the EU GDPR and what actions they need to take now to ensure their business continues to work legally, “he said.
“There are some simple and immediate steps organizations should take to comply with data protection regulations and ensure events can continue once the world opens again. To help our industry do better business, I have myself partnered with privacy expert Arvi Virdee at Smartec to launch a series of short and focused webinars to guide them through this challenge. ”
There are two things meeting and event organizations need to take right now, Begley said. “Firstly, British companies that hold data for the EU now have to review and update their existing data sets. It must be determined which part belongs to the EU data (and is therefore subject to EU GDPR provisions), which part belongs to the UK Data (subject to UK GDPR regulations) and what data does not fall into these two categories, for example records for companies based in America or Asia.
“Second, British companies must appoint a representative in the EU to deal with any queries. This could be a data breach or a request for data access. This representative should be based in one of the 27 EU countries and be on site to process inquiries from individuals, companies or authorities. ”
British companies only need to appoint an EU representative if they do not already have a branch or office in the EU. In this case, this branch or office would act as a representative, although the data protection notice would have to be updated accordingly.
UK law now also requires EU companies that have UK data to have a representative in the UK, and EU based companies must review and segregate their records to determine which is now subject to UK GDPR rules.
Begley added, “Events professionals should act now and take advantage of this current time where meetings and events are currently on hold to ensure they are fully prepared and have the right items in place to get business back to business.” .