On 31 January 2020, after almost four years of negotiations, the UK’s membership of the EU ended. This began a transition period, set to end on New Year’s Eve, during which the UK and the EU will agree their future relationship.
There are, of course, still many unanswered questions, but the good news is that there is a degree of clarity when it comes to transferring personal data into and out of the EU.
Let’s take a look at what you need to know.
The GDPR after Brexit
There has been a lot of speculation about whether the GDPR (General Data Protection Regulation), being an EU regulation, will apply in the UK after Brexit. That’s because the answer is complicated – but bear with us.
The first thing to remember is that EU residents’ information will always be protected by the GDPR, whether the organisation processing the data is based in the EU or not.
Any UK organisation that processes EU residents’ personal data will therefore still be required to comply with the Regulation after Brexit.
The second thing to note is that UK organisations are also bound by the UK DPA (Data Protection Act) 2018, which transposes the GDPR’s requirements into national law and fills in certain areas that the Regulation leaves to individual member states to interpret and implement.
As such, data subjects in the UK will have the same levels of data protection post-Brexit.
These are important points regarding compliance in general, but they don’t explain how organisations can transfer EU residents’ data into the UK after Brexit.
Transferring personal data into and out of the EU
When the transition period ends, the UK will become a third country and therefore no longer able to freely transfer personal data to and from the EU.
As a result, UK organisations will need a new legal basis for importing EU residents’ personal data. There are three ways this can happen:
1. Adequacy decision
The EU has determined that several countries offer an adequate level of personal data protection and permitted them to perform cross-border transfers.
This enables organisations in those countries to import EU residents’ personal data freely, in much the same way as currently happens within the EU.
The UK hopes that by enacting the GDPR’s requirements into domestic law, it will demonstrate an adequate level of data protection. Unfortunately, the EU couldn’t begin its adequacy decision process until exit day, which was 31 January 2020, and you shouldn’t expect confirmation any time soon. The fastest of the 13 adequacy decisions made so far was Argentina, which took 18 months.
2. Standard contractual clauses
If an adequacy decision isn’t reached by the end of the transition period, organisations’ next best option will probably be SCC (standard contractual clauses).
SCC are suitable when organisations are sharing data with non-EU-based organisations in a straightforward manner.
That’s because SCC only apply to the data processing activities set out in writing, meaning new contracts have to be drafted every time personal data processing activities change.
The European Commission has so far issued two sets of SCCs for data transfers from data controllers in the EU to data controllers established outside the EEA, and one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EEA.
3. Binding corporate rules
As the name suggests, BCR (binding corporate rules) are internal guidelines that are legally enforceable by every member of a corporate group.
However, the rules only apply to that group. As such, while they may be useful for intracompany transfers, they don’t help when data needs to be transferred between different entities.
It’s also worth noting that the UK’s data protection authority, the ICO (Information Commissioner’s Office), will no longer be a GDPR supervisory body after the transition period, so its BCR will no longer be valid.
UK organisations will therefore have to use BCR approved by a supervisory authority in the remaining 27 EU member states.
Looking for more GDPR compliance advice?
The GDPR continues to cause problems for organisations almost two years after it took effect. However, its requirements – and the penalties for failing to meet them – aren’t going anywhere, so you need to make sure your practices are in order.
If you’re looking for compliance guidance, whether it’s on a specific issue or your overall approach, you should take a look at our Privacy as a Service solution.
Led by a team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we’ll work with you to develop a tailored solution that suits your needs.
This includes help with your DPO requirements, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).