Gill Crennell

laptop, phone, mug of coffee and pad on a desk

A look at the new Freelance Solicitor Model

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

In November 2019, the SRA introduced a new model of operating for so-called ‘freelance solicitors’. The intention of the freelance solicitor model was to allow solicitors greater flexibility when providing services. We were told that the changes took place as the regulator felt that the previous arrangements created an unnecessary and restrictive ‘artificial entity’ model around solicitors operating as individuals. Prior to the changes, sole practitioners were required to have their practice authorised as a ‘recognised sole practice’.

 

What is a Freelancer?

A good starting point is to look at what the SRA means by ‘freelance solicitor’. This term is used to describe a self-employed solicitor who:

  • is practising on their own;
  • doesn’t employ anyone else in connection with the services they provide;
  • is practising in their own name (rather than using a trading name or through a service company);
  • is engaged directly by the client with fees payable directly to the solicitor;
  • and without that practice being authorised. So, essentially, we’re talking about individuals who are genuinely self-employed.

Rules and Regulations

Freelancers are subject to various rules and regulations. The three key ones to note are as follows:

 

The SRA Authorisation of Individuals Regulations 2019 (the Regulations)

  • You must have practised as a solicitor for a minimum of three years since admission or registration.
  • You are self-employed and practise in your own name, and not through a trading name or service company.
  • You must take out and maintain indemnity insurance that provides adequate and appropriate cover in respect of all of the services that you provide or have provided (this includes both reserved and unreserved legal services), and that takes into account any alternative arrangements you or your clients may make.
  • You are not permitted to employ anyone.
  • You are engaged directly by the client, and the client pays their fees directly to you.
  • You may only hold client money in limited circumstances, i.e. when it’s for payments on account of costs and disbursements that you have not yet billed where:
    1. any money held for disbursements relates to costs and expenses incurred by you on behalf of your client and for which you are liable, and
    2. you have told the client in advance where and how that money will be held.

SRA Code of Conduct for Solicitors, RELs and RFLs (the Code)

Freelance solicitors are regulated in the same way as other solicitors and are subject to the provisions of the Code.

 

The Transparency Rules

Those freelancers providing reserved legal services are also subject to the requirements of the Transparency Rules. This includes publishing costs information where they offer any the services listed in the rules, publishing details of their complaints’ procedure, and telling clients that they will not be covered by insurance on the SRA’s minimum terms and conditions and that alternative arrangements are in place.

As a more general rule, freelance solicitors will need to ensure that clients fully understand the implications of their “freelance” status and any additional risks to the client. This should include informing clients if they are unable to benefit from the SRA Compensation Fund.

 

Other key regulations to think about

Freelance solicitors will also need to consider whether they are an “’independent legal professional” (ILP) for the purposes of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). The MLR 2017 apply to freelancers providing legal or notarial services to others as part of financial or real property transactions. If you are an ILP, you’ll need to comply with the regulations, which includes having a risk assessment, policies and controls and procedures in place. You’ll also need to separately register with the SRA to comply with the MLR 2017.

 

What activities can Freelancers undertake?

The Regulations differentiate between those performing reserved legal activities and those just providing non-reserved legal activities – essentially differentiating between the areas of law considered riskier and those of low-risk. As you’d expect, the restrictions are more stringent for those undertaking the former. There are six reserved activities which you’ll find listed at Section 12 and Schedule 2 of the Legal Services Act 2007. If you’re planning to work as a freelancer, it’s important that you familiarise yourself with these:

  • Exercise of a right of audience
  • Conduct of litigation
  • Reserved instrument activities (includes conveyancing and linked matters)
  • Probate activities
  • Notarial activities
  • Administration of oaths

Historically, you’ve only been able to provide these types of services as a solicitor through an entity that is authorised to do so. However, if you’re a solicitor practising on your own account, you can now provide these types of services without needing to be authorised as a recognised sole practitioner if you meet the conditions set out in Regulation 10.2(b) of the Regulations.

 

More on the Restrictions in Regulation 10.2(b)

Experience: Whilst solicitors solely providing non-reserved legal activities don’t need to meet the three years’ PQE requirement, newly qualified solicitors will need to be mindful of the need to satisfy the competency requirements set out in the Code, which still apply.

Employing others: Despite this restriction, the SRA Ethics guidance (“Preparing to become a sole practitioner or a freelance solicitor”) clarifies that this isn’t intended to stop freelancers from contracting with others to provide pure administrative support to help them to provide their services, so long as they don’t “employ” those people. This would, for example, enable you to work in a Chambers model where the Chambers provides administration and other business support. It would also enable freelancers to receive similar services from a serviced office type arrangement.

It’s also important to note that if you do decide to employ someone to assist you in connection with the services you provide (including a paralegal or secretary), your clients will not benefit from protection under the SRA Compensation Fund (see Regulation 5.2, SRA Compensation Fund Rules) – you must be genuinely practising on your own.

Professional Indemnity Insurance (PII): Another apparent rational for the introduction of the revised regime was the SRA viewing that the high cost of purchasing PII on minimum terms was deterring entry to the market of sole practitioners wanting to practise independently.

Now, freelancers who carry out purely non-reserved activities are not required to have any PII. However, prudent freelancers should consider whether having no cover is in their own, and indeed their clients’ best interests. Conversely, freelancers carrying out reserved legal activities must have “adequate and appropriate insurance” in place, but do not need to comply with the SRA’s minimum terms. Cover must be for all of the work done as a solicitor and not just any reserved activities. When speaking with insurers or brokers, it’s advisable to let them know if you’ll be seeing clients at home or working from home on a regular basis, to make sure you obtain appropriate cover. When arranging cover, factors to think about may include an assessment of maximum probable loss for each work type, your claims history (if any; number/type/value/frequency of client matters) and likely client profiles. You should also record how you reached your decision on the level of cover so you can produce this if asked to demonstrate that you meet the “adequate and appropriate” requirement.

Although the cost of insurance can sometimes be prohibitive, freelancers should also consider taking out run-off cover if they decide to stop practising – at least until the risk of claims has fallen away. If solicitors decide to move back into private practice, this may be something that new employers will look for.

Insurers will undoubtedly be looking closely at the risk and compliance framework that freelancers put in place to ensure that any risks are being properly managed before they offer cover; so this is likely to be a key focus for those wanting to take advantage of the new model of working. Here at Teal we work closely with insurers and can help you to ensure that you have an appropriate framework in place that will satisfy your insurers’ requirements. Please do not hesitate to contact us if we can assist.

Restrictions on holding client money: Given the limitations on holding client money, if a client needs to pay or is due to receive other types of client money (such as damages or money from an estate), a freelance solicitor will need to make alternative arrangements to safeguard these funds – for example via a third party managed account such as Shield Pay.

 

Structures

As a freelancer solicitor you’re strictly prohibited from adopting any kind of entity structure, such as a limited company, limited liability partnership or partnership and can only operate under your own name. This means that you’ll be personally liable for your actions in the same way as a sole trader.

Law Society guidance (see link below) envisages that individuals may consider working together with other like-minded solicitors in a Chambers-style arrangement, with practices complementing one another. Each freelancer in the arrangement remains individually regulated and may, for example, just offer non-reserved legal activities, whilst others may offer reserved activities or perhaps offer both.

 

The process for getting set up as a freelancer

To get started, you will need to notify the SRA that you intend to practise on your own and whether or not you will be providing reserved legal services. If so, the SRA will then check whether you meet the conditions set out in the Regulations mentioned above.

 

Risks for law firms

Law firms should consider training staff on freelance solicitors and the implications for firms – for example, given the restrictions on holding client money, freelancers will be limited in the undertakings that they will be able to give.

Given the requirements for freelancers to contract personally for services, and the ban on freelancers holding client money, the SRA considers that the arrangements are unlikely to appeal to a sole practitioner who is currently running a business and employing staff and instead, are more likely to appeal to those who wish to undertake ad hoc freelance work or set up in a chambers style model.

When the new model for freelancers was first discussed, it received a considerable amount of negative commentary in the press, mostly relating to lack of regulation. However, as mentioned above, the Code still applies to all freelancers.

The Gazette reported back in early March 2020 just prior to lockdown, that 71 solicitors had already registered with the SRA as freelancers. The model is likely to be attractive to solicitors with a good client following or with small practices – so clearly poses a threat to firms, although quite how extensive the threat will be, only time will tell.

 

Useful links

Here are some useful links

  • Law Society Practice Notes – Click here
  • SRA Freelancer Notification – Click here
  • SRA Guidance – Preparing to become a sole practitioner or SRA regulated solicitor – Click here
  • SRA Guidance – Third party managed accounts – Click here
  • SRA Compensation Fund Rules 2021 – Click here

Get in touch

If you’d like to know more about our regulatory services, please contact one of our experts today.

Get in touch

A look at the new Freelance Solicitor Model Read More »

someone typing on laptop on wooden desk

The SRA Transparency Rules – Is your website compliant?

Blogs, Legal Compliance, Regulatory Compliance /

As you’re no doubt aware, the SRA Transparency Rules (the Rules) came into force back in December 2018 requiring firms to publish price and service information for various practice areas. It’s important that you check this regularly, to ensure it’s up-to-date. 

What areas of law does it cover?

You need to publish the price and service information on your website if you publicise that you work in the following areas of law: 

  • Residential conveyancing
  • Probate (uncontested)
  • Motoring offences (summary offences)
  • Immigration (excluding asylum)
  • Employment tribunals (unfair/wrongful dismissal)
  • Debt recovery (up to £100,000)
  • Licensing applications (business premises)

If your firm doesn’t have a website, you must still have this information available upon request in other formats.

Information about the SRA requirements

The Rules also require all firms to publish details of their complaints procedure on their website, including how and when a complaint can be made to the Legal Ombudsman and to the SRA. From 25 November 2019 firms were also required to display the SRA’s digital logo in a prominent place on their website.

You may also be aware that the SRA has been conducting a programme of random sweeps of firm websites to monitor on-going compliance with the Rules. 

In November 2019 they reported that during a sweep of 447 live websites conducted in March/April 2019, only 25% of firms were fully compliant with the Rules. Of the remaining 75%, 58% were partially compliant and 17% were not compliant with the Rules at all. However, the SRA did provide useful feedback on the most common areas of non-compliance which were:

  • Failing to publish the required complaints information
  • Failing to specify the amount of VAT applied to costs and disbursements
  • Failing to display information on key stages and/or timescales
  • Failing to provide a description or costs of likely disbursements

We’re aware that the SRA has more recently been contacting firms with the results of their sweep. Several firms we’ve spoke to were surprised to learn that they’re only partially compliant, despite undertaking considerable work on their respective websites. In our experience, whilst the SRA will indicate to a firm the service areas that they consider non-compliant in terms of the information provided, unfortunately they don’t provide exact details of the non-compliance(s), but instead state “insufficient information” has been provided.

When assisting clients to identify the missing information, we’ve found the SRA templates of suggested text to be very helpful.

Our own research

We undertook our own survey of 10 websites for compliance with the Rules and found the following:

  • Fully compliant: 1
  • Partially compliant: 8
  • Non-compliant in all areas: 1

When looking at the websites, we noticed that the issues flagged by the SRA after their first ‘sweep’ still featured high on the list of areas of non-compliance. We located the SRA’s digital badge on 8 out of the 10 websites reviewed.

Get in touch

At Teal, we offer firms a website audit service. We provide guidance on whether we consider that your website is compliant with the Rules and can assist with any remedial action needed. We can also provide guidance and assistance if you’ve received an SRA Notice informing you of non-compliance and directing you to take remedial action.

If you’d like to know more, or if we can assist, please get in touch.

Get in touch

The SRA Transparency Rules – Is your website compliant? Read More »

Keyboard with a large yellow button which says 'Data Protection' and has an image of a padlock

Do you need a data protection officer under the GDPR?

Blogs, Data Protection, Regulatory Compliance /

At Teal, one of the questions we often get asked is whether or not an organisation needs a Data Protection Officer (DPO).

 

What the guidance says

Under the GDPR, it’s mandatory for some organisations to appoint a person to act as their DPO – others may choose to either appoint a DPO on a voluntary basis or decide that one is not required for the purpose of the Regulations and instead, they’ll just appoint someone to deal with data protection matters. In each case, your business will need to consider who this person should be, what their duties will be and what your business’s obligations are in relation to this person.

The WP29 guidance (the WP29 was an advisory body made up of representatives from the data protection authorities of each EU member state, the EU Commission and the European Data Protection Supervisor, which has now been replaced by the European Data Protection Board) recommends that organisations document the internal analysis carried out to determine whether or not they need to appoint a DPO. This can, for example, be via a memo to your governing body making recommendations as to whether a DPO should be appointed or not, as well as noting any decisions flowing from the recommendations. Whilst the appointment of a DPO isn’t always essential, the guidance states that organisations should assume that one is necessary unless they can demonstrate otherwise.

Although a DPO appointment will show your commitment to complying with the GDPR, you need to bear in mind that once you appoint one, they’ll have to comply with the obligations of a DPO contained in the regulations.

 

Under the GDPR, when must a DPO be appointed?

Under the GDPR, controllers and processors must appoint a DPO if:

  • They are a public authority or body
  • Their core activities involve large scale, regular and systematic monitoring of individuals
  • Their core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences

So, it’s the nature of processing undertaken by you, as a data controller or processor, that determines whether or not you need a DPO and you need to consider to what extent you need to process personal data to function properly as an organisation. If it is essential, it is likely that you will need a DPO.

Whilst what constitutes “large scale” isn’t defined, the guidelines say that when determining if processing is on a large scale, you should take the following factors into consideration:

  • The numbers of data subjects concerned
  • The volume of personal data being processed
  • The range of different data items being processed
  • The geographical extent of the activity
  • The duration or permanence of the processing activity

Even if you decide not to appoint a DPO, the GDPR require organisations to keep records of their processes and any data breaches and it’s important to ensure that your business has sufficient staff and resources to enable it to discharge its obligations under the GDPR.

 

Who can and can’t be a DPO?

The GDPR requires appointment of a DPO to be on the basis of a person’s ability to carry out those tasks, in particular, their experience and knowledge of data protection law. The regulations don’t specify the precise credentials a DPO is expected to have, but they do state that they should be proportionate to the type of processing being carried out and take into consideration the level of protection the personal data requires. Clearly it would be an advantage for a DPO to have a good knowledge of the relevant industry or sector, as well as your data protection needs and processing activities.

You can appoint an external DPO which would avoid any conflict issues and this is useful where there is no-one suitable within your business to take on the role. The WP 29 guidance provides useful suggestions regarding the individuals within a firm that shouldn’t be the DPO given that they are likely to be in a position of conflict as they may be responsible for determining the purposes and means of processing personal data, this includes the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Head of Marketing, Head of Human Resources and Head of IT. Other less senior roles may also be conflicted if they lead to determination of the purposes and means of processing. In many law firms, for example, it is likely that the Compliance Officer for Legal Practice (COLP) would be a suitable DPO. However, you would need to consider any other roles that the COLP fulfils for the firm, in particular if the COLP is also managing partner or has another senior management role.

The GDPR contains a number of protections for DPOs and places obligations on the data controllers and processors regarding their DPO, a key one being to support the DPO by providing resources to enable them to carry out their tasks. DPOs must be independent, avoid conflicts of interest and cannot receive instruction regarding the performance of their tasks. The GDPR provides DPOs with protected employment status, meaning that you cannot dismiss or sanction a DPO simply for doing their job.

 

What’s the DPO’s role?

The DPO’s main responsibility is to inform and advise your organisation and staff about your obligations to comply with GDPR and other data protection laws. They are responsible for monitoring compliance with the law and regulation and with your data protection policies and also for raising awareness of data protection issues. This includes training staff and conducting internal audits where necessary. They are also responsible for advising on and monitoring any data protection impact assessments that you may undertake, and are the first point of contact for supervisory authorities and the individuals whose data you process. The ICO expects a DPO to take a risk based approach and, for example, to focus on the more risky activities that a business may undertake (e.g. if you process special category data).

The DPO, or his/her team, should be involved from the earliest stage possible in all issues relating to data protection., This should include regular participation in senior management meetings and involvement in any decision which has a data protection implication, with all relevant information being provided to them as early as possible. You should ensure that due weight is given to the DPO’s opinion and, in case of disagreement, the reasons for not following the DPO’s advice should be documented.

 

Law Firms

The Law Society in its March 2018 advice article (Appointing a Data Protection Officer) took the view that most law firms will not need to appoint a DPO given that they would not be systematically monitoring data subjects on a large-scale and reiterated this view in further advice in August 2019 (Appoint a Data Protection Officer). At the same time they acknowledged that some firms might need to appoint a DPO where they are processing special categories of data, e.g. concerning health, ethnicity, political or religious beliefs, trade union membership, or sexual orientation of the firm’s clients, or relating to their criminal convictions and offences, and such processing might be conducted on a large scale.

Whilst firms might conclude that their processing falls outside the criteria for the mandatory DPO appointment, they may still wish to appoint a DPO on a voluntary basis – particularly if they are in any doubt on the matter. Some firms might also benefit from taking specialist advice on the matter, if they do not have the necessary expertise in their practice. Firms should keep a full record of their decision-making.

Whether you decide to appoint a DPO or not, you should ensure that all staff are aware of the existence of the person responsible for dealing with data protection matters within your organisation and the importance of their role. They must have a direct feed into your top-level management. It’s important to note that a DPO, where appointed, is not responsible for your business’s compliance with data protection law – this remains the responsibility of you as data controller or processor. However, a DPO, and indeed any other person appointed to deal with data protection matters clearly play a crucial role in being responsible for overseeing your data protection strategy and its implementation and helping you to fulfill your data protection obligations.

 

Get in touch

To find out more about our data protection and GDPR services, contact one of our helpful experts today.

Get in touch

Do you need a data protection officer under the GDPR? Read More »

someone calculating bills on a calculator

Don’t forget to pay your ICO fee!

Blogs, Data Protection, Legal Compliance /

The UK Information Commissioner’s Office (ICO) has recently launched a campaign to send reminders to all UK registered companies to ensure that they comply with their legal obligation to pay an annual data protection fee, where this applies. This is the start of an extensive project to ensure that the ICO fee is paid by everyone who needs to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt – this fee replaces the old annual registration fee. If you are an organisation holding personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it’s likely that you’ll need to pay the fee. The ICO maintain a public register of those registered, so your clients will be able to check whether you take your data protection obligations seriously.

The amount of the data protection fee depends on a company’s size and annual turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60 (you can reduce the cost by £5 if you sign up by direct debit). As it’s a statutory fee, no VAT is payable on the fee. The ICO provides a useful self-assessment tool which will calculate how much you need to pay (see self-assessment) – and is definitely worth using to ensure that you are paying the correct amount. In terms of exceptions, charities pay £40 regardless of size or turnover and public authorities only need to go by staff numbers. There are a number of exemptions. You don’t need to pay a fee if you are processing personal data only for one or more of the following purposes:

  • Staff administration
  • Judicial functions maintaining a public register
  • Accounts and records
  • Not-for-profit purposes
  • Advertising, marketing and PR
  • Personal, family or household affairs
  • Processing personal information without an automated system such as a computer

Since introduction of the latest data protection fee in May 2018, over half a million organisations have registered with the ICO to pay it. However, between 1 July and 30 September 2019 the ICO issued 340 monetary penalties to organisations who haven’t paid the fee. You are breaking the law if, as a controller, you process personal data or are responsible for the processing of personal data, for any of the non-exempt purposes and you have either not paid a fee or not paid the correct fee.

In addition to a fine, the ICO names the majority of those failing to pay. This clearly has reputational implications for your business.

The very fact that GDPR exists at all suggests that data protection is being taken more seriously than before. Although fines tend to be the ICO’S last resort, the data protection fee is going to be vital to the ICO if it’s to function properly as whilst money received from fines is passed to the Government, the data protection fee is used by the ICO to fund its data protection work. Clearly, if organisations ignore the requirement to pay en masse, this could drive the ICO to flex its muscles by making an example of some of them.

If your fee is a renewal you should receive a payment reminder from the ICO – but don’t rely solely on this and ensure you diarise the payment date as a key date, so you don’t end up with fine which could easily have been avoided. If you don’t pay when you need to, you’ll receive a notice of intent from the ICO 14 days after expiry. You’ll then have 21 days to pay or make representations as to why you think you don’t need to. If you still don’t pay or fail to notify the ICO that you no longer need to pay, you may be issued with a fine of up to the maximum penalty of £4,350 (150% of the top tier fee) – so it’s clearly important that you pay the correct fee, if due, and on time.

 

Get in touch

To find out more about our data protection services, contact our experts today. 

Get in touch

Don’t forget to pay your ICO fee! Read More »

3 office workers sat around desk working on laptops

What happens to GDPR on exit day?

Blogs, Data Protection, Legal Compliance /

GDPR during the transition period

As we’re all well aware, the UK will finally leave the European Union later today. The UK and the EU will then have until 31 December 2020 (the “transition period”, provided for in the withdrawal agreement) to negotiate an agreement setting out their future relationship. This raises the question: will the UK still be bound by the GDPR post-Brexit? In short, yes. During the transition period, GDPR will continue to apply and the data protection landscape will remain unchanged.

The current regime consists of the EU GDPR, supplemented by the UK Data Protection Act 2018 (DPA). As well as modifying the EU GDPR, the DPA applies a similar data protection regime (referred to as the “applied GDPR”) to areas falling outside the scope of EU GDPR. So for now you should continue to follow the current rules and regulations and ICO guidance.

During the transition period, if you are offering goods and services to customers in the EU, the ICO has confirmed that you do not yet need to appoint a European representative but may need to do so from the end of the transition period.

What happens at the end of the transition period?

Following through on its commitment to incorporating EU GDPR into domestic UK law on exit day, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Regulations”), which will apply changes needed to the EU GDPR so that it remains relevant to the UK after Brexit (such as removing references to the UK’s participation as a member state), and merges the EU GDPR with the DPA to ensure that the UK data protection framework continues to function correctly. This regime will be known as the UK GDPR.

The EU GDPR will continue to apply in the UK until the end of the transition period – from this point on UK GDPR will apply. What the exact data protection landscape will look like post 2020 will depend upon the negotiations that take place during the transition period, but we believe, based on the information available to us now, that it’s unlikely there will be any change to the existing main data protection principles.

Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The good news is that the Exit Regulations will ensure that this arrangement will continue so that data still flows from the UK to the US. However, US entities will need to update their privacy notices to expressly extend protection to transfers from the UK.

Adequacy Decisions

What we also know is that from the end of the transition period, the UK may be classified as a “third country” for the purposes of EU GDPR. The EU GDPR places restrictions on data transfers to third countries (i.e. countries other than EU member states and the three EEA states that have adopted a national law implementing GDPR (Norway, Iceland and Liechtenstein)). To date, the EU has granted a number of adequacy decisions, where they determine whether a country offers personal data an adequate level of protection, including in favour of the Isle of Man, Jersey and Guernsey.

It’s highly likely that the UK will apply for adequacy status from the EU and the EU has already indicated that it’s prepared to consider this but won’t do so until after exit day. But unless this happens before 31 December 2020, UK businesses processing data on behalf of EU data controllers will only be able to transfer data if appropriate safeguards are in place to protect the data transfer to the UK. This includes putting in place some form of data transfer agreement with the EU business incorporating the standard data protection contractual clauses (known as “Model Clauses”) approved by the EU, as a legal basis to protect the transfer of personal data to the third country.

However, once adequacy status is granted, the UK would no longer be classified as a third country and the need for Model Clauses or other safeguards to be put in place would fall away. Just how long this process will take is unknown, but it’s unlikely to happen quickly and there’s no guarantee it’ll happen before 31 December. Businesses dealing with third countries should therefore follow developments regarding the granting of an adequacy decision closely, as breaches of the requirements relating to this particular area of EU GDPR are subject to the higher level of fines (up to €20 million or 4% of annual global turnover, whatever is higher).

If your business transfers data to countries outside of the EU where the EU has already made an adequacy decision, then the position will remain unchanged and your data can continue to flow. The UK government has confirmed that it will recognise existing EU adequacy decisions made prior to exit date. However, you should still keep a close eye on developments as you may see the situation where the EU subsequently grants an adequacy decision to a country and the UK takes a different stance and chooses not to adopt it.

Summing Up

At the current time, whilst we’re in the transition period, there shouldn’t be too much for businesses to do with the majority of data protection rules staying the same, but it’s important that businesses follow developments as we move towards the end of the transition period. As the ICO says in its guidance on post Brexit data protection, your best preparation at this point in time is to ensure you comply with GDPR now.

Get in touch

To find out more about our data protection services, simply get in touch with one of our experts today.

 

What happens to GDPR on exit day? Read More »