Brexit Deal Done: GDPR and Data Transfers – What This Means

On Christmas Eve, a Trade Deal was announced between the EU and the UK, ending many months of speculation as to what a Deal would look like – or even if one would be secured. Many sceptics thought we’d be free of Europe and its stringent data protection legislation as GDPR had proved a challenge for many businesses since.

However, as the UK had implemented its own data protection legislation to largely mirror the EU version (Data Protection Act 2018), our commitment to the principles of the GDPR are already in place.

But what does the Deal mean for data protection and the flow of personal data – and are you Brexit ready?

The Deal

As part of the Deal, the EU have agreed to offer the UK a temporary Adequacy Decision. This is a crucial decision as it means personal data can continue to flow into and out of the UK as it has done previously. Without this temporary Adequacy Decision, businesses whose operations meant data flowed into and out of the UK from the EEA, would have had to implement Standard Contractual Clauses (SCC’s) into existing contracts.

This temporary adequacy is set to last four months initially, with the option of a two-month extension if required.

During this six-month timescale, the UK must maintain its commitment to upholding the principles of the UK GDPR and must not make any changes to the data protection regime without the agreement of the EU. If changes are made without prior agreement, this temporary Adequacy Decision will be repealed – and data flows from the EU to the UK will become unlawful.

Therefore, stringent data protection measures will still need to be a high priority for all UK businesses – and the ICO need to demonstrate they are continuing in their drive to enforce the legislation.

My Business Is Based in the UK, but Operates in the EU...

If your business is based in the UK and has a substantial operation in the EU (but no trading base), then you will need to instruct a representative in the country with the greatest activity. The job of this representative will be to ensure the principles of the EU GDPR are upheld by the business operation – and you must ensure the individual appointed has sufficient experience of European data protection legislation.

My Business Is Based in the EU, but Operates in the UK...

If your business is based in the EU and has a substantial operation in the UK (but no trading base), then, again, you will need to instruct a representative in the UK to oversee the operations and ensure these meet the obligations of the UK GDPR. This may mean you have to appoint a UK DPO to manage this.

Data transfers between the UK and USA:

Earlier this year, the Court of Justice of the European Union (CJEU) ruled in the Schrems II case that Privacy Shield (the US data protection framework) is invalid. This is mainly down to US surveillance culture, which allows for any personal data hosted and/or processed in the US to be intercepted and/or monitored by the security services. As far as the EU and UK are concerned, this is an invasion of privacy.

This means that any businesses transferring data to or from the US to the UK/EU must rely on Standard Contractual Clauses (SCC’s) in contracts to legalise this transfer.

Without appropriate SCCs in place, the transfer is unlawful, and the sender of the data would be held responsible in the event of a breach / security issue.

Although after Brexit the UK will not be subject to the rulings of the CJEU, the ICO have confirmed they will be upholding the ruling of the Schrems II case, so this decision still applies.

If you need support in drafting your own SCCs, reviewing data flows or even handling the UK representation work, give us a call.