GDPR and sharing personal data: are you sufficiently protected in a post-Brexit world?

Despite Brexit being all we seemingly heard about towards the latter end of 2019, the events of 2020 make it seem like a distant memory. No doubt your main focus in 2020 has, understandably, been how to navigate and deal with the impacts that Covid-19 had on your business. 

Nevertheless, the effects of Brexit should not be ignored. The UK officially left the EU on the 31st of January 2020, however, until 31st December 2020 we are still in the ‘transition period’ i.e. that period whereby the UK must still comply with all EU laws. It is during this transition period that the UK is negotiating their new relationship with the EU, including how the EU will continue doing business with the UK after this period.

Adequacy decision

Following the Information Commissioner’s Office’ recent publication, it is clear that no deal has yet been made with regards to how the UK and the EU will continue to trade with the EU from a data protection point of view.

At present, and until the end of the transition period, the GDPR is still part of UK law under the European Withdrawal Agreement. therefore, the UK is able to send and receive data from the European Union in the same way it did prior to Brexit.

Part of the current ongoing discussions centre around whether the UK’s Data Protection Act 2018 (which implements the GDPR) offers an ‘adequate’ level of data protection. Ideally it will be, as personal data will then be able to continue flowing between the EU and the UK, without any safeguards having to be put in place. By way of example, the European Commission has already approved countries such as Canada, Japan, and New Zealand has being adequate. 

Prepare now

Whilst we hope that the European Commission will decide that the UK is adequate, until a decision has been reached, there is a risk that it won’t.

If you only trade within the UK and are already compliant with the GDPR, the lack of an adequacy decision will not be much of an issue for you.

However, if you are a UK business that sends or receives data from the EU, you will need to ensure you have sufficient protections in place, otherwise risking non-compliance, which may result in a hefty fine.

If you think this may apply to you, you need to ensure that steps are taken which will allow you to continue this data flow. This will likely involve implementing either:

  1. Standard Contractual Clauses (SCC): This will likely be the best option for you. These are simply data protection clauses which have been pre-approved by the European Commission and, once incorporated into your contracts, will allow the flow of personal data between a non-adequate country and the EU. There are various sets of SCCs, and which one you should use will depend on whether you are sharing data with another data controller or a data processor (or vice versa). We can advise you on this accordingly and if so required, help you implement the SCCs into your EU trading contracts.
  2. Binding Corporate Rules (BCR): If your business is part of a multinational group, these may be appropriate for you. BCRs are a code of conduct which apply between data transfers between an organisation’s EU bodies and its non-EU / non-adequate body or bodies. BCRs are legally binding and need to be approved by an appropriate data protection authority before you can use them. Similar to the SCCs, there are various versions of BCRs which will depend on whether you are a data controller or processor. Again, if you think your business could benefit from BCRs, we can advise accordingly.

How we can help

In light of the above, are your current trading terms protecting you from a personal data point of view in a post-Brexit world?

If you would welcome further advice or would like us to review your current terms to ensure they are compliant, contact our Commercial and IP team on 0161 926 9969 or commercial@mlplaw.co.uk to receive expert legal advice for your business.