The GDPR currently governs data processing within the EU and EEA and data can move freely between all members. Adequate data protection safeguards, as determined by the EU, are a prerequisite to any transfer of data non-member state, known as a ‘third country’. There are currently 13 third countries with adequacy or partial adequacy status.
Brexit and Data
Now that the UK has left the EU, it is defined as a third country under the GDPR. As highlighted earlier, personal data transfers to third countries are restricted unless one of the recognised legal bases to transfer the data internationally is established. The UK has already declared that it will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data after exit. In other words personal data can continue to flow to these destinations after Brexit, but the UK has made clear that this decision will remain under review.
The EU, however, still needs to conduct a data adequacy assessment for personal data to flow freely in the other direction i.e. from the EU/EEA to the UK. The EU has made a commitment in the Political Declaration to complete a data adequacy decision before the end of the transition period (31 December 2020). This assessment will happen in parallel to the negotiations of the future UK-EU trade agreement.
An EU data adequacy decision is by no means guaranteed and in the unlikely case that the UK does not get an EU data adequacy decision, UK organisations will need to ensure that their data processing meets the EU standards for third countries to continue the transfer. Binding Corporate Rules maybe appropriate for intra-Group transfers. Similarly, for UK organisations to receive data from third party EU organisations, then standard contractual clauses (SCCs) will be more appropriate. The ICO has an interactive tool for SMEs to decide whether SCCs can help you maintain the flow of data and how to choose, understand and complete the right one for your needs.
Further information on ensuring your data meets the standard for no-deal Brexit preparations can be found here. Again, if you have any specific questions we recommend you seek the advice of a legal adviser.