The EU Commission has awarded the UK two adequacy decisions. The first recognises that the UK meets the requirements of the GDPR (General Data Protection Regulation), and the other recognises that it meets the requirements of the Law Enforcement Directive.
These decisions mean that organisations in the EU can freely transfer personal data to the UK without SCCs (standard contractual clauses) or BCRs (binding corporate rules).
It also applies to any organisation outside the EU wishing to transfer EU personal data to the UK.
What does this mean?
After much speculation about what would happen following Brexit, the EU Commission’s decision provides some much-needed clarity. Put simply, organisations in the UK and the EU can work with personal data as partners without additional safeguards.
On a broader level, the decision also demonstrates that the EU believes that the UK has high data protection standards, with both parties recognising each other’s data protection requirements.
This in turn highlights the UK’s reliability globally when it comes to processing personal data.
Organisations should note that requirements regarding EU and UK representatives remain unchanged. If your organisation is based in the UK and you monitor the behaviour of, or offer goods and services to, EU residents, you will most likely require an EU representative.
You should also note that the adequacy decision for the GDPR does not cover personal data for UK immigration requirements. As such, organisations within the EU – or which handle EU personal data elsewhere – still need measures in place if they are to make such transfers.
Looking for GDPR compliance advice?
The GDPR continues to cause problems for organisations two years after it took effect. Although the granting of an adequacy decision simplifies the task of decoding your requirements somewhat, there are still plenty of compliance issues causing headaches.
If you’re looking for help understanding what you need to do – whether it’s on a specific issue or your overall approach – help is at hand.
With GRCI Law’s Privacy as a Service solution, we’ll provide guidance tailored to your needs.
Led by a team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we can support you no matter what aspect of compliance you’re struggling with.
This includes help with your DPO requirements, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).