Brexit - Data Protection
Critical issues for businesses to consider:
Data flows to the UK: Personal data transfers to the UK have, since 1 January 2021, relied upon an interim bridging measure in the UK-EU Trade and Cooperation Agreement for the adequacy decisions to be implemented, which expires at the end of June 2021. You can find out more about this bridging mechanism in our earlier report.
Negotiations are ongoing for the European Commission to adopt adequacy decisions on personal data transfers to the UK in order to assure uninterrupted and continued free flow of personal data with the UK from 1 July 2021. Both the European Data Protection Board and members of the European Parliament have raised concerns over adopting the draft adequacy decisions in their current form so it is uncertain if they will be in place by the 1 July deadline. You can read our update on the European Data Protection Board cautiously welcoming the draft adequacy decision.
Data transfer safeguards: If no adequacy decision is in place by the end of the bridging period, then business will need to implement data transfer safeguards recognised under the GDPR. The most common commercial safeguards are the model form standard contractual clauses adopted by the European Commission (Standard Contractual Clauses). In June 2021, the Standard Contractual Clauses were updated for the first time in a decade and now need to be rolled out to cover personal data transfer arrangements involving a party located in a country outside the EEA that is not subject to an adequacy decision. The new form of the Standard Contractual Clauses import greater obligations than their predecessors on importers and exporters of personal data. For an overview of the new Standard Contractual Clauses, the obligations and pre-contractual assessments they now require and the timeframe for putting them in place, read our update here.
Representatives: Any UK business that does not have an establishment in the EEA and which processes personal data of any data subjects in the EEA in order to offer the goods or services or to monitor their behaviour must appoint a representative in the EEA to comply with the GDPR. This appointment is distinct from that of a Data Protection Officer and different obligations arise in respect of the appointment and the responsibilities a representative.
Further updates: As noted above, personal data sharing with the UK is currently subject to change and we will continue to update this page with future updates.