Intellectual Property (“IP”) and EU Data
Since 1 January 2021, the UK is outside the single market. That means it is also outside the single market for data transfers and digital services. Almost all businesses now handle data in some form or another. Even if your main business is not in digital services, you can assume that you will be affected. The rules on data will not go away, but they will change.
Data is a crucial subject, and you may need specialist advice. The main areas to think about with IP and Data are:
- Data Transfers
- Websites, Domain Names, and Technology Providers
- Intellectual Property (“IP”) rights.
The UK will not be treated as a third country for an interim period of four to six months from 1 January 2021. This is to allow time for the European Commission (EC) to finalise its adequacy assessment of the UK. The purpose of the adequacy assessment is for the EC to decide whether the UK provides “essentially equivalent” protection for personal data as the EU and, therefore, whether transfers of data may be permitted without the need for organisations to take further measures.
If there is an adequacy decision, businesses have to just continue to comply with GDPR and no extra measures will be needed, as most of the data protection rules will stay the same. You can keep exchanging personal data with organisations in EU member states and the countries that the EU has deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, USA (Privacy Shield).
If there is no adequacy decision during the bridging mechanism in the next 4 to 6 months (i.e by the end of June 2021), businesses will have to take measures in order to legally receive personal data from EU countries.
- If your UK business receives personal data from a processor or a controller in the EU, you should build a contract with Standard Contractual clauses – check the tool on the ICO website to determine which set you need.
- If your UK business sells goods or services in the EU, or has European customers or monitors online behaviour of individuals, you need to comply with the EU data protection regime in relation to these activities. In most cases you will also need to appoint a GDPR representative in the EU. This person will act as your local representative with individuals and data protection authorities in the EU. You will need to find a provider in the EU who offers services as a GDPR representative. If you have a data protection officer (DPO), this cannot be the same person or one of your processors.
- If you are part of a multinational group, i.e. where you UK business has an EU branch or an office, you are advised to adopt the EU’s binding corporate rules on data protection.
- If you don’t receive or process any personal data from customers, suppliers, or other contacts in the EEA, you may not have to take any action about data transfers, but you must consider this very carefully.
Websites, Domain Names, and Technology Providers:
- If you use any websites or other tech services hosted in the EU, check whether their services or your contract with them will be affected.
- If your UK business does not have presence in the EU and you are not an EU citizen and if you are providing digital services to the EU customers, you will not be able to continue using your .eu domain or to register a new one and your existing .eu domain will be withdrawn. You should discuss with your local domain name registrar whether to transfer your internet domain to another top level domain. For more information please refer to the UK Government guidance on registering and renewing .eu domain names in the UK.
Intellectual Property (“IP”) rights
- If you have trademarks, copyrights, patents, or any other IP rights registered with the EU Intellectual Property Office (IPO) these should have been translated into UK rights automatically. We recommend however that you check with the UK Intellectual Property Office that this has taken place.
- You have nine months from the end of the transitional period to register in the UK any trademark applications that are pending in the EU but not registered yet.
- For any IP rights created after the end of the transition period, you will need to take advice on how to protect them across the EU.
Cybersecurity and Data Protection
Steps to help your business comply with data protection rules.
Support from London Business Hub
Specialist programmes and support from London Business Hub.