By Polly Russel-Stower, Group General Counsel, Ultimate Finance
On 31 December 2020, the transition period for the UK leaving the EU came to a close. There is still a lot of work to be done and one thing many businesses were worried about is what the end of the transition period would mean for data protection. A decision on exactly how the UK and the EEA will transfer data is still to be made, but the good news is for at least the next four months (taking us up to the end of April) and up to a maximum of six months, personal data can carry on flowing between the EU and the UK without additional safeguards – this is known as the bridge period. During the bridge period, the EU and the UK will try to agree whether the UK can be subject to an adequacy decision.
Does the General Data Protection Regulation still apply to the UK even though we have left the EU?
Yes. It was bought into UK law by the Data Protection Act 2018.
What is an adequacy decision and is the UK likely to receive one?
The GDPR restricts transfers of personal data to non EEA countries, unless it is protected in another way or there is an exception – an adequacy decision meets this criteria.
An adequacy decision made by the EU and is granted to a country who is not in the EEA, but who is considered to have appropriate safeguards and frameworks for the protection of personal data which are comparable to the protections under the GDPR. An adequacy decision allows the free flow of data from the EEA to the third county without any further checks and balances being required. Examples of other countries which are subject to adequacy decisions are Canada, New Zealand and Switzerland.
Whether the UK will get an adequacy decision is uncertain. There are issues with the UK’s surveillance regime which were recently raised in the case known as Privacy International and there will be plenty of organisations that will look to challenge any adequacy decision that is made. The waters have also been muddied by the judgment in Schrems II, which was handed down in Summer 2020 and invalidated the EU – US Privacy Shield.
What happens if the UK doesn’t receive an adequacy decision?
If the UK does not receive an adequacy decision, then it will need to comply with GDPR transfer restrictions and find another way of transferring personal data. The most common solution that businesses have been exploring is to include what are known as “Standard Contractual Clauses” or “Model Clauses” into their contracts with third parties/suppliers. Standard Contractual Clauses do what they say on the tin – they are a set of model contractual clauses that provide appropriate safeguards when organising the controlling and processing of personal data. They are not the easiest read and are fairly long as they cover many aspects of protecting personal data, as well as setting out the duties of the Data Importer (the organisation receiving the data) and the Data Exporter (the organisation sending the data). That said, they are designed to be slotted into any contract you might wish to use.
Practical things you can do
As it is not guaranteed that the UK will receive an adequacy decision, now is a good time to think about the data you control and process and who you may export data to. We suggest you:
- Identify third parties you receive or export data from;
- Make sure you know exactly what personal data is transferred – for example does it include sensitive data?
- If you don’t have them already, obtain copies of your contracts with third parties and review the existing data protection clauses.
- Speak to the third party and understand if they already have a proposed strategy for dealing with the UK not receiving an adequacy decision – some larger organisations will be able to capitalise on the work they did pre December 2020 before the bridge period was announced, and will have a good sense of what needs to be done.
- Get familiar with the SCCs and the information you will need to supply and request if you choose to use them. The SCCs have recently been under consultation and the ICO expects that the finalised form of clauses should be issued in the early part of 2021. The ICO has current versions of the SCCs on their website and you can find them here Standard Contractual Clauses (SCCs) after the transition period ends | ICO
- Depending on how much personal data your organisation controls or processes, keeping on top of data protection can be a full time job – don’t leave it until the last minute and if in doubt, engage someone who can give you clear and practical advice about how you can continue to ensure you are compliant with data protection laws.