Deal or no deal? Where does that leave GDPR?7th December 2020
The first thing to say here is that the situation will be more complicated after the end of the Brexit transition than it was before – whether we get a deal or no deal.
Certainly, no deal, doesn’t mean no data protection legislation. We might not be subject to the GDPR, however the UK will still maintain a strict data protection framework because without it – data won’t be able to flow between the UK and EU countries.
Even with our own data protection legislation in place, there are some hoops that we have to go through, in order for, the exchange of personal data to continue.
If you are not transferring data FROM the EU nothing very much changes for you.
At the present time, in the UK, personal data control is legislated by the Data Protection Act 2018 (DPA) which became law in May 2018 at almost the same time as GDPR and has run alongside it until now. It is just as stringent as the GDPR, so if you are not transferring data from the EU nothing very much changes for you, although something everyone should bear in mind is that all contracts that mention the ‘EU GDPR’ or just ‘GDPR’ will need to be changed to the ‘UK GDPR’.
However, what does change is if you are relying on the exchange of data between the EU and the UK. Once we exit the transition period with the EU and if we do so with a ‘no deal’ this changes the rules around the flow of data, this will make the UK a ‘third country’ in terms of data protection legislation.
Any EU company sending personal data TO the UK may be transferring the data unlawfully.
You can however continue to SEND personal data to the EU because that is considered a safe place to receive data.
What we in the UK need to do, is prove that we are a safe to receive the personal data from the EU.
We need an adequacy decision, but this will not happen before Brexit
At the moment our DPA legislation does match the GDPR (in fact it might be the case that we bring the GDPR into UK law to officially sit alongside the DPA) – however if we leave the EU with ‘no deal’ we then need the EU to grant us what is called an ‘adequacy decision’ and this is unlikely to be a quick process – we would have to pass rigorous tests.
The EU have already made it clear that they aren’t in the mood for granting us any special favours and have said that they won’t even consider commencing the process until after our exit. It is likely that we could be talking about years before an adequacy decision is finalised – and there is no guarantee that it will be successful.
One of the biggest ‘sticking’ points regarding the granting of this adequacy decision is likely to be around our surveillance culture. Similar, to the problems recently faced by the US who have had their ‘Privacy Shield’ agreement removed (this was the US data protection framework that companies could sign up to), this is due mainly to their surveillance culture which is deemed to be an invasion of privacy.
What this means is, that after Brexit, any personal data being transferred INTO the UK from the EU will be subject to restrictions and there are procedures you need to put in place to enable this to happen.
If you want to transfer personal data into the UK from the EU after Brexit, you must have SCCs in place
The way to transfer personal data into the UK from the EU after Brexit is by writing Standard Contractual clauses (SCCs) into your existing data sharing and other agreements.
These clauses require evidence that procedures and protocols are in place that mean personal data arriving in the UK is subject to the same level of protection (or higher) than would be expected from the GDPR.
These clauses have yet to be approved by the EC and cannot be changed or modified. The ICO is advising that for “most businesses and organisations SCCs are the best way to keep data flowing to the UK.”
As you can see, the situation is anything but clear!
If your organisation relies on transferring personal data from the EU and you need some help to ensure you have the correct SCCs in place, please contact the data protection specialists here at the Griffin House Consultancy.
Book a no-obligation,complimentary Zoom consultation and one our data protection specialists will be delighted to help.
Call: +44 (0)1673 88 55 33
Email: [email protected]