The UK has finally left the EU. Despite a withdrawal agreement being in place, many uncertainties remain. The transfer of personal data is an area that continues to be in flux. Here’s a short recap based on information from the Information Commissioner’s Office (ICO):
The transition period has ended – as such, UK personal data protection legislation is solely determined by the UK-GDPR, amended Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. But how do these local data protection laws align with EU standards so data flow can continue uninterrupted? Well, on this front we will have to wait while the UK undergoes an adequacy assessment conducted by the European Commission.
If UK laws are determined to be sufficient by the European commission then it is envisaged that data transfers and processing will continue as before. But it is naïve to think there will be no discrepancies regarding the treatment of personal data between UK and EU authorities. For the time being international restricted transfers from the EEA to UK can continue under the Trade and Cooperation Agreement, and at present no new arrangements are needed when transferring data outside of the UK.
Fast forward a few months…
In a situation where the UK is not granted adequacy, it will then be classified as a “third country” (i.e., a country outside the EEA). If the UK’s storage of EEA personal data is not considered appropriate by EU-GDPR standards, then other measures will need to be put in place for continued storage and international transfers. These include, but are not limited to, additional compliance methods (such as Standard Contractual Clauses) like those we have seen emerge since the EU-US privacy shield was rendered back in July 2020.
The ICO has a host of information on International data transfers which you can read here. In this period of continuing uncertainty, the ICO recommends that organisations receiving personal data from the EEA implement alternative place guards before the end of April to prepare for the real possibility that the UK is deemed inadequate, or the bridge ends. If data transfers from the EU to the UK become subject to local transfer requirements from the country of origin, it’s important to collaborate closely with your European Partners to plan actions that will ensure data can continue to flow as required by your organisation.
There are still many pieces of the puzzle that need to be identified to understand the full impact of Brexit on the storage and transfer of personal data within the EU and UK. BitTitan continues to remain shoulder-to-shoulder with our Partners and customers to navigate through these challenging and uncertain times.