Further to our recent data protection update see here, the UK has now left the EU and the transition period is over. The UK and the EU have reached a deal on their future relationship and, as part of the arrangement, there is now welcome certainty (for now at least) in relation to the position on EU to UK data transfers.
The position currently is as follows:
1. Data transfers from the EEA (i.e., the EU and also Iceland, Liechtenstein, and Norway) to the UK:
The EU and the UK have agreed that transfers from the EEA to the UK will be allowed on a temporary basis for up to six months. It is intended that this will allow time for an adequacy decision to be adopted in respect of the UK. An adequacy decision means that the European Commission has decided that a third country offers an adequate level of data protection and the effect of a decision is that data can be transferred to that country without the need for alternative transfer mechanisms. During this interim period, data can continue to flow freely from the EEA to the UK.
The UK’s data protection regulatory body, the Information Commissioner’s Office (ICO) has recommended, however, that alternative transfer mechanisms are put in place by UK businesses as a precaution so that data can continue to be received from EEA businesses in the event that the position changes.
For most businesses, the most straightforward option will be standard contractual clauses (SCCs).
2. Data transfers to the EEA from the UK:
The UK has confirmed that until further notice it will allow data to be transferred freely to the EEA so there is no need at the present time to put additional transfer mechanisms in place for data flowing from the UK to the EEA. This means that data can continue to flow freely from the UK to the EEA unless a decision is made by the UK to end the arrangement (which is unlikely given the likely implications).
3. Other steps
Now that there is some certainty in relation to data protection matters following Brexit, it is a good time to think about whether there are any other steps you should take (if you have not already done so). Ultimately, the precise steps you will need to take will depend on your business and the way you deal with data. Whilst some businesses will have a lot to do, others will just have to make small changes. Practical steps that may be relevant include the following:
Appointing a representative in the UK or the EU.
Considering whether you will have to deal with a new lead supervisory authority.
Evaluating which data falls under which regime (i.e., the EU or UK GDPR).
Reviewing and revising external and internal data protection documents such as privacy notices and policies.
Considering whether alternative transfer mechanisms should be put in place in accordance with the ICO’s recommendation.
Reviewing and updating records of processing.
We have prepared checklists for businesses to assist with identifying what steps need to be taken in relation to data protection. If you would like a checklist or if you require advice on how your business may be affected by Brexit generally, please contact the corporate/commercial department at 3CS.