For those of us based in the UK, COVID 19’s domination of the world media has provided a distraction from the constant chatter over the looming Brexit deal, which, in comparison to a global pandemic, felt somewhat trivial. However, the transition period is over; we have left the EU, and it’s time to face the challenges that this entails. One of the more significant implications for businesses is that of the UK becoming a third country for the purposes of EU–to-UK personal data transfers.
For the time being, though, everything remains the same. This major implication has been mitigated by a four-to-six-month grace period to allow more time for the European Commission to consider whether to grant the UK adequacy. “The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary.”
The allowance of more time is a key reflection of the importance of smooth data flows in a world which is becoming increasingly globalised. Indeed, the transfer of data between the EU and the UK is crucial to the future prosperity of both. The Institute for Government notes that “volumes of data entering and leaving the UK increased 28 times between 2005 and 2015, and three quarters of those data transfers were with EU countries”. Any restriction placed on data flows would act as a major barrier to trade, putting UK businesses at a marked competitive disadvantage.
There is a lot of parallel work going on to update the GDPR Model or Standard Contractual Clauses, as a fall out of the Schrems II decision. So, if the adequacy decision goes the wrong way, there is work to be done to implement the new SCCs and, of course, any EEA based companies exporting data to third countries will also have to update their data transfer agreements.
The next six months are set to be busy as the world of Data Privacy continues to be in a complex state of flux. As we prepare for the worst, while hoping for the best, engage with an expert from The Data Privacy Group to operationalise your privacy program and allow yourself to concentrate on generating revenue with the peace of mind that you are compliant with data privacy regulations; no matter what the adequacy decision outcome may be.