The UK's newly acquired status as a 'third-country' post-Brexit has future implications for data transfers between the UK and the EU. We say future because the deal that was struck with the EU on Christmas Eve was so last minute that there was insufficient time to reach agreement on all issues relating to the UK's departure from the EU. Data protection was one of the things that was put on the 'Do it Later' list.
Last year, the EU had been intending to complete an assessment of the adequacy of the UK's data protection regime to see if it was in line with EU law. Instead, due to time pressure, a bridging mechanism was put in place on 24 December 2020 that introduced a quasi-moratorium, which permits the free flow of data between the UK and EU member-states to continue unabated until potentially 30 June 2021.
What you need to do to make your business data protection compliant
The priority for the EU now is to complete its assessment as to whether the UK's current data protection regime under the UK GDPR is adequate and complies with EU law. If the EU finding is that the UK GDPR is adequate, then nothing will change for you in terms of data protection and transfers of data between the UK and EU can continue as they are now. This means that you will not have to do anything differently until at least 1 July 2021.
If, however, the EU finds by 1 July 2021 that the UK GDPR is not adequate (and it is worth mentioning at this juncture that there is no guarantee that the UK's data protection regime will be regarded as being adequate as the EU have already found against the UK twice on this point), then you will have to put in place additional legal safeguards from 1 July 2021 before you can transfer data from the UK to the EU.
The additional legal safeguards include standard contractual data protection clauses (this will be the most commonly used safeguard), codes of conduct for the transfer of data that comply with the Information Commissioner's Office requirements for transfer, or certification under an approved certification scheme.
Concluding remarks and advice
The advice currently is to wait and watch our website for a further update.
Hopefully, the EU and UK will reach an agreement by 1 July 2021 that the UK GDPR is adequate and nothing will change. However, there is no guarantee this will be the case.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.