GDPR post-Brexit – an update

GDPR post-Brexit

Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them. 

Data privay toolbox