UK privacy laws and Brexit: what to expect in 2021

As of 31 January 2020, the United Kingdom officially began its withdrawal from the European Union. That date marked the beginning of a transition period which will end on 31 December 2020.

If you’re based in the UK, what does this mean for the way your practice handles private patient data? Well, like most legal matters, it depends. Some practices won’t need to change much at all, while others will need to make some adjustments to comply with different privacy requirements.

Either way, this article should shed a little light on the topic and point you in the right direction to get more info.

Merging two laws into one.

Prior to 31 December 2020, UK practitioners have been bound by two privacy laws: the EU GDPR and the UK DPA 2018. GDPR is the set of privacy regulations established by the European Union that has ‘direct effect’ in the UK, and the DPA 2018 is a UK supplement to that legislation which makes specific additions for domestic interests.

Once the transition period is over, EU GDPR will no longer apply in the UK. Instead, the UK government is essentially merging the principles of GDPR with DPA 2018. This updated law, known as UK GDPR, is scheduled to take effect on 1 January 2021.

In other words, the same rules will still apply. But after the transition period, the UK government will have sole discretion over the legislation.

After this merge, most practices will want to make some minor changes, like updating their privacy policy and other legal documentation, and some practices will need to go a step further to comply with both versions of GDPR.

You may still need to comply with EU GDPR.

Although most of the UK GDPR is nearly identical to the EU version, the obligations of your business may change after the transition period ends. There are two circumstances when EU GDPR would apply to your practice:

1. 1.Offering goods and services to EU citizens.
   If you happen to get the occasional European patient, that’s probably okay. You shouldn’t need to worry about complying with EU GDPR just because of that. But if you are intentionally offering your services to European citizens, you will need to comply with EU privacy laws.
   
   Criteria can include—but is not limited to—things like offering telehealth appointments to people in the EU, advertising within European countries, or accepting payment in euros.*
   
2. 2.Monitoring the behaviour of EU citizens.
   If your practice collects online user data, like cookies or IP addresses, you will need to comply with EU GDPR. Even if your website is only intended for UK citizens, it’s quite possible that you’ll get random visitors from all over the world, including Europe. If you’re tracking their online behaviour, you’ll be subject to the European law.
   
   For example, a clinic in Sheffield whose website happens to get the occasional visitor from Continental Europe would need to adhere to EU regulations if they track people’s behaviour while on the site.

*Be sure to seek some independent legal advice (like from your professional organisation) to make sure your practice complies with all applicable laws.

The UK as a ‘third country’.

After the transition period, the UK will be classified as a third country under EU privacy law. That means complying with EU GDPR may require some additional adjustments, like appointing an EU representative and adopting some appropriate safeguards.

In the meantime, a ‘bridge period’ of up to 6-months will be in place (starting 1 January 2021), allowing personal data to flow legally between the UK & EU just like before. This should give the EU time to make an adequacy decision with limited disruption to the exchange of information.

There is a chance the European Commission will make an adequacy decision to recognise UK privacy laws as being sufficiently similar to EU GDPR. If that happens, the UK would no longer be considered a ‘third country’, and the adjustments won’t be necessary.

In the meantime, a ‘bridge period’ of up to 6-months will be in place (starting 1 January 2021), allowing personal data to flow legally between the UK & EU just like before. This should give the EU time to make an adequacy decision with limited disruption to the exchange of information.

As of this writing (published 21 December 2020), a decision still has not been made. But, the process is ongoing, and the UK’s status could change in the future. Be sure to check with your professional organisation to get the latest updates and info.

No, this won’t impact your Cliniko account.

The UK government intends to recognise existing ‘standard contractual clauses’. So, if you signed a Data Processing Addendum (DPA) with Cliniko, it should still be valid for UK GDPR, and you won’t need to take any further action with us. New Clinko account holders in the UK and EU will still need to sign a DPA.

Cliniko has already taken steps to make sure we stay compliant with the newly-merged laws. As part of our compliance, we have appointed a UK representative for all of Cliniko’s privacy matters in the country. You can learn more about this in our privacy policy.

What can you do?

While we hope this article is helpful for you, it’s not intended to be a comprehensive guide. We encourage you to dig a little deeper and become familiar with the privacy regulations that affect your practice (if you haven’t already).

We also encourage you to reach out to your professional organisation. They should have the latest updates for you and practical advice on how your practice can stay compliant.

You can also head over to our help site to brush up on how Cliniko helps you comply with GDPR or reach out to our friendly support team.