Following the huge fanfare that heralded the introduction of the General Data Protection Regulation (GDPR) back in May, you could be forgiven for thinking the position on data protection post-Brexit is already settled.
The UK government has given the green light to personal data transfers from the UK to the EU in the event of a no deal Brexit confirming in its guidance that it will continue to support the adequacy of the EU for personal data transfers without the need for additional safeguards to be implemented.
However, if no deal is reached in the Brexit negotiations, the flow of personal data from the EU to the UK will be impacted, requiring changes to the current data protection regime.
The reason for this is that, in the absence of a deal to the contrary, the UK will become a ‘third country’ post-Brexit meaning that specific approved safeguards will need to be adopted to support the lawful transfer of personal data to the UK.
While the UK’s preferred position is to secure an ‘adequacy decision’ to maintain a free flow of data between the UK and the EU and minimise any disruption after Brexit, establishing an adequacy decision can be a complicated and lengthy process and the EU has confirmed that a decision on adequacy cannot be taken until the UK is a ‘third country’.
It seems inevitable, therefore, that there will be a period of time between the UK’s withdrawal from the EU and an adequacy decision when data will not be able to flow from the EU to the UK without certain approved safeguards being in place (assuming that a permitted derogation cannot be relied on).
These approved safeguards include standard contract clauses (which are clauses approved by the European Commission for the purpose of legitimising transfers) and binding corporate rules (these may be appropriate for multinational corporate groups).
Personal data transfer appears to be fairly low down the list of issues being negotiated as part of the UK’s divorce settlement, however, given that we live in a digital society, it is an issue that organisations need to start considering.
If as part of your business practices you rely on the transfer of data from the EU to the UK, now is the time to start looking at what contingency actions you will need to take to ensure that data can flow in a lawful and practical manner to the UK after March next year.
A transfer of personal data to a ‘third country’ without an approved safeguard will constitute an infringement of data protection law, which may result in hefty fines being incurred.