The UK government recently unveiled plans to expand the list of countries that it deems provide adequate data protection.
It comes as part of a wider announcement on the future of the UK’s data protection regime, and follows the EU’s adequacy decision on the UK earlier this year.
Adequacy decisions mean that the country or territory in question is considered to have high data protection standards. As such, organisations are permitted to share personal data freely without the need for additional safeguards.
UK organisations that deal with EU residents’ personal data will be familiar with the complicated nature of data transfers when an adequacy decision isn’t reached.
As the post-Brexit grace period neared its end, organisations were preparing for the requirement to create SCCs (standard contractual clauses) and BCRs (binding corporate rules).
The EU’s adequacy decision means those safeguards are only required in certain circumstances – and the same principle may soon apply to data transfers between the UK and other countries outside the EU.
Which countries have an adequacy decision?
The UK has recognised all EU member states as providing an adequate level of data protection for the purposes of the UK GDPR (General Data Protection Regulation).
The following countries or territories have also been deemed adequate:
- Canada (partial)
- Faroe Islands
- Isle of Man
- New Zealand
The UK government has said that it is prioritising adequacy decisions for Australia, Colombia, Dubai, South Korea, Singapore and the US.
It lists Brazil, India, Indonesia and Kenya as longer-term priorities.
What happens now?
The UK government also revealed its proposed test for granting an adequacy decision. Notably, it differs from the European Commission’s, and contains four phases:
- Gatekeeping: deciding whether to commence an adequacy decision.
- Assessment: collecting and analysing information relating to the level of data protection in that country.
- Recommendations: a provisional decision to be given to the Secretary of State, who will consult with the ICO (Information Commissioner’s Office) and decide whether to grant an adequacy decision.
- Procedural: the technical and regulatory steps needed to give legal effect to the adequacy decision.
The deviation from the EU’s approach reflects the government’s intention to “[develop] a world-leading data policy that will deliver a Brexit dividend for individuals and business across the UK”, and to reform current data protection laws “so that they’re based on common sense, not box ticking”.
Speaking to the Telegraph, Oliver Dowden, the Secretary of State for Digital, Culture, Media and Sport, explained what this might mean in practice.
Although the UK won’t be able to make drastic changes, as it needs to ensure that its practices continue to be considered adequate by the European Commission, it suggests that significant changes could again be coming.
How will the changes affect your organisation?
Organisations may be pleased to learn that there could be fewer obstacles for data processing and data transfers, but they should be equally concerned about what it means for GDPR compliance.
As the UK diverges from EU regulations, it not only risks the country’s adequacy status but also creates separate requirements for organisations that are subject to UK law and the GDPR.
If you’re worried about how your organisation can navigate this issue, GRCI Law can help. With our GDPR Contract and Legal Services package, you’ll receive expert guidance to ensure your data sharing contracts meet your legal requirements.
The service is also ideal if you want support with privacy notices and policies, HR documentation, or commercial contracts with suppliers, customers and employees.