Regulatory Compliance/Data Protection
How companies incorporated in Wales and the UK, or where the parent company is incorporated in Wales or the UK, can comply with UK accounting and reporting requirements from 2021.
Changes to the UK’s corporate reporting regime
There will be changes to the UK’s corporate reporting regime from 2021. These changes will affect a small number of companies.
Preparing annual accounts
All companies will need to use ‘UK adopted IAS’ instead of ‘EU adopted IAS’ for financial years beginning after the 1 January 2021. Both sets of standards will be the same on 1 January 2021. There may be differences later if the UK adopts or amends standards and the EU does not.
You can continue to use EU adopted IAS when preparing your accounts for financial years beginning on or before 1 January 2021.
Some types of companies will need to take further action from January 2021.
Welsh/UK incorporated parent companies
Welsh/UK incorporated parent companies with a subsidiary in the EEA need to check the reporting requirements in the country where the subsidiary is based.
Welsh/UK companies with a presence in the EEA
Welsh/UK companies with a presence in an EEA country - for example, a branch - need to check the reporting requirements in that country.
Welsh/UK public companies with a UK listing
The way companies raise capital and trade securities on a regulated market will change.
Welsh/UK incorporated groups with securities admitted to trading on a UK regulated market will need to prepare accounts using UK adopted IAS for all accounting periods beginning on or after 1 January 2021.
They can use EU adopted IAS for accounting periods starting before January 2021. They will not need to restate these accounts after that date.
Welsh/UK public companies with an EEA listing
UK incorporated groups that issue debt from a subsidiary incorporated in the EU will need to do both of the following:
- comply with the rules of the country where the subsidiary is based
- produce accounts that comply with the UK Companies Act 2006
All Welsh and UK public interest entities (banks, building societies, insurers and issuers of securities that trade on UK regulated markets) will have to follow:
- Disclosure and Transparency Rules issued by the Financial Conduct Authority (FCA)
- rules issued by the Prudential Regulation Authority (PRA)
Changes to the Audit Directive
UK issuers of shares or debt securities that are only admitted to trading on EEA regulated markets will no longer be subject to this framework.
The Audit Directive requirement will still apply to companies with a parent company incorporated in the UK.
For subsidiaries that are issuers of securities on UK regulated markets, the parent company may be subject either to the FCA or the PRA rules.
For subsidiaries that are banks or insurers and qualify under the more limited exemption provided by the PRA, the parent must be subject to the PRA rules.
Welsh/UK companies will need to appoint a UK registered audit firm. An individual UK registered auditor will need to sign the audit report on behalf of the firm.
Some rules relating to approving individuals and firms for registration as auditors will change. Find out more about auditing from 1 January 2021.
Accounting for EEA companies in the UK
Find out what you need to do if you’re an EEA company working the UK.
What UK audit firms, UK auditors, and those with UK audit qualifications need to do from 1 January 2021.
This guidance is for UK auditors and audit firms. There’s different guidance for EEA auditors and audit firms.
The rules for auditing Welsh/UK companies operating solely in the UK will not change from 1 January 2021.
Welsh/UK companies operating in European Economic Area (EEA) countries will need to meet regulations in those countries.
Recognition of UK audit qualifications in EEA countries
Your UK qualification may not continue to be recognised from 1 January 2021.
The recognition of UK audit qualifications in EEA countries may be agreed as part of the future relationship with the EU.
UK audit firms auditing EEA companies
You may not be able to sign an audit report for an EEA company from 1 January 2021.
The recognition of UK audit qualifications in EEA countries may be agreed as part of the future relationship with the EU.
Third country auditors of non-EEA firms listed on EEA regulated markets
To carry out these audits you should register with the competent authority of the EEA state where the market is based.
You should do this as soon as possible from 1 January 2021.
Businesses treated as public interest entities
Banks, building societies, insurers and issuers of securities that trade on UK regulated markets will be treated as public interest entities and must follow the EU Audit Regulation from 1 January 2021
Your business will no longer be treated as a public interest entity in the UK if it only issues securities that are admitted to trade on EEA regulated markets.
Auditing groups of companies
You do not need to do anything if you audit a group of companies across the EEA and the UK if your parent company is based in the UK.
Restrictions on subsidiary companies in the EEA
Check with the competent authority in the country where your subsidiary is incorporated if there are any restrictions that may apply from 1 January 2021 - for example, sharing information outside the EEA.
Blacklisted non-audit services
Non-audit services will be blacklisted for all overseas subsidiaries of UK public interest entities from 1 January 2021.
- non-audit services will be prohibited if provided by the auditor of a UK public interest entity
- firms in the same network as a UK auditor of a UK public interest entity will be prohibited from providing blacklisted services to non-EEA subsidiaries
Disclosure and Transparency Rules on Audit Committees
UK issuers of shares or debt securities that are only admitted to trading on EEA regulated markets will no longer be subject to the Disclosure and Transparency Rules issued by the Financial Conduct Authority (FCA) from 1 January 2021.
All other UK public interest entities will still be subject to the Disclosure and Transparency Rules issued by the FCA and relevant rules issued by the Prudential Regulation Authority (PRA).
Exemptions for subsidiaries
The exemptions in these rules will continue to apply to subsidiaries as long as the parent company is incorporated in the UK.
For subsidiaries that issue securities on UK regulated markets, the parent company can be subject to either the FCA or the PRA rules.
Banks or insurers that qualify for PRA exemptions only, must have a parent company that is subject to the PRA rules.
Ownership of UK audit firms
You can continue to include EEA auditors in your Wales/UK firm’s required majorities of qualified owners and managers from 1 January 2021.
You can no longer include EEA audit firms, unless they’re both:
- based in the Republic of Ireland
- registered with a UK Recognised Supervisory Body
Ownership of EEA audit firms
As a UK auditor or UK audit firm you may not be allowed to continue in an EEA firm’s required majorities of qualified owners and managers from 1 January 2021.
Competition policy and state aid
After leaving the EU the role of policing and ensuring fair competition in Wales/UK markets (including state aid) will fully transfer to British regulators and agencies. This could result in differences to the current approach – for instance on approvals for mergers and acquisitions.
The Competition and Markets Authority (CMA) has published a notice on its role after Brexit.
- Guidance on the functions of the Competition and Markets Authority under the Withdrawal Agreement
- Explanatory note
This guidance is designed to explain how EU Exit affects the CMA’s powers and processes for competition law enforcement (‘antitrust’, including cartels), merger control and consumer protection law enforcement during the transition period, towards the end of that period, and after it ends. The guidance also explains the treatment of ‘live’ cases, which are those cases that are being reviewed by the European Commission or the CMA during and at the end of the transition period.
In order to have guidance in place ahead of 31 January 2020, the CMA has chosen to publish this guidance in a ‘live’ document which may be subject to change, particularly in the light of further political and legal developments.
Accordingly, the CMA may amend elements of the guidance or issue further guidance in due course to clarify and explain any differences to the UK regime which will take effect at the end of the transition period, taking into account the UK’s future relationship with the EU. The CMA welcomes any views stakeholders may wish to raise in relation to the guidance which will be considered in the context of any future guidance the CMA might issue.
Stakeholders are invited to send any such comments by post or email to:
EU Exit Guidance – Withdrawal Agreement team
Policy and International
Competition and Markets Authority
25 Cabot Square
Data protection, GDPR, and mobile roaming
What action you need to take regarding data protection and data flows with the EU/EEA after the end of the transition period.
Further information can be found on the Information Commissioner’s Office’s (ICO) website. The ICO is the independent supervisory authority for data protection in the UK.
What personal data is
Personal data is any information relating to an identified or identifying living person. This includes names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.
An example of this is a Welsh company that receives customer information from a company in the EU, such as names and addresses, to provide goods or services.
Looking ahead to 1 January 2021
Receiving personal data from the EU/EEA and already adequate third countries
From 1 January 2021, your organisation may need to have Standard Contractual Clauses (SCCs) in place with EU counterparts in order to legally with EU counterparts in order for them to legally send personal data to you from the EU.
The EU’s data adequacy assessment of the UK is underway and we are confident that adequacy decisions can be concluded by the end of the transition period. This would allow for the free flow of personal data from the EU/EEA to the UK to continue without any further action by organisations.
However, if the EU has not made adequacy decisions in respect of the UK before the end of the transition period, you should act if you want to ensure you can continue to lawfully receive personal data from EU/EEA businesses (and other organisations) in the future.
In this scenario, organisations will be required to put in place alternative transfer mechanisms to ensure that data can continue to legally flow from the EU/EEA to the UK. For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs). The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.
In addition to this, 11 of the 12 third countries deemed adequate by the EU have currently informed us they will maintain unrestricted personal data flows with the UK. Further information can be found on the ICO’s website.
For personal data flows from the UK
There are currently no changes to the way you send personal data to the EU, EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.
For international data transfers from the UK to other jurisdictions, further information can be found on the ICO’s website.
Personal data provisions in the Withdrawal Agreement
Organisations should also be aware that Article 71 of the Withdrawal Agreement contains provisions that apply EU data protection law (in its end of the transition period state) to certain ‘legacy’ personal data if the UK has not been granted full adequacy decisions by the end of the transition period. ‘Legacy data’ includes personal data of individuals outside the UK processed in the UK prior to the end of the transition period, or subsequently on the basis of the Withdrawal Agreement. Check the ICO’s website for further information.
Appointing EU-based representatives
Some UK data controllers and processors may also need to appoint EU-based representatives from 1st January 2021. Further information can be found on the ICO’s website, or you can call the ICO helpline on 0303 123 1113 for further information (open Monday - Friday).
Data protection and GDPR
To date, during the transition period, there has been no change to the UK’s data protection standards. EU data protection laws, including the General Data Protection Regulation (GDPR), have continued to apply throughout the transition period alongside the Data Protection Act 2018. The Information Commissioner remains the UK’s independent supervisory authority on data protection.
After the end of the transition period, GDPR will be retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. The UK remains committed to high data protection standards.
What you need to know about the transition period, data flows and EU-based representatives
During the transition period, personal data is able to flow freely (subject to GDPR compliance), without additional restrictions, between the EU/EEA and the UK. There is also no requirement for UK data controllers or processors to appoint EU-based representatives for the duration of the transition period. UK organisations are also still able to send personal data legally from the UK to the EEA and 12 countries currently deemed adequate by the EU.
On 16 July 2020 the Court of Justice of the European Union (CJEU or ECJ) invalidated the EU-US Privacy Shield adequacy decision with immediate effect in the Schrems II case, meaning this framework can no longer be relied upon for personal data transfers to US businesses and organisations.
The judgment upheld that EU standard contractual clauses (SCCs) remain a valid tool for the international transfer of personal data but only where they (together with any additional measures) provide for “essentially equivalent” protection as in the EU.
During the transition period, EU data protection law applies to the UK, and the Schrems II judgment and EU adequacy decisions are therefore binding on transfers of data leaving the UK. Further information can be found on the ICO’s website.
Resources and Information
Welsh Government guidance on Data Protection after January 1 2021.
The Information Commissioner’s Office (ICO) has published a checklist of six steps that businesses can take now to start preparing for data protection compliance if the UK leaves the EU without a deal: https://ico.org.uk/media/for-organisations/documents/2553958/leaving-the-eu-six-steps-to-take.pdf
UK companies retailing to consumers or trading ‘information and data services’ (e.g. video sharing, social media platforms and internet service providers) across the EU would face changes to their regulatory environment.
Your business should consider
Do you know if the EU’s eCommerce Directive is relevant to your business?
Does your business operate any websites with a ‘.eu’ domain name registration?
Resources and information
The Department for Culture Media and Sport has produced official guidance for businesses engaged planning for after the EU transition period: The eCommerce Directive after the transition period
Find out what you need to do before the end of the transition period if you hold a .eu domain: .eu domain names - what you need to do before the end of the transition period
Regulations and standards
When the UK leaves the EU there may be changes to the requirements for placing certain products on the UK and EU markets:
- Placing manufactured goods on the EU market from 1 January 2021
- Placing manufactured goods on the market in Great Britain from 1 January 2021
- How to comply with REACH chemical regulations
- Reporting requirements for medicine shortages and discontinuations
- Transition Period – after 31 January 2020 for the Vehicle Certification Agency (VCA)
- UK product safety and metrology changes from 1 January 2021
- The British Standards Institution (BSI) has published information about standards if there is a no deal: Standards and EU Exit
For the setting of standards, BSI state their membership of the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) is unaffected by the EU transition, and following campaigning by the British Chambers of Commerce (BCC) and other business groups, they will seek to remain members of the European Committee for Standardization (CEN) and European Committee for Electrotechnical Standardization (CENELEC) to ensure continuity.
UKCA (UK Conformity Assessed) marking
The UKCA (UK Conformity Assessed) marking is a new UK product marking that will be used for certain goods being placed on the UK market.
Find out if you will need to use the new UKCA marking and how to use it: Using the UKCA mark from 1 January 2021