EU-UK data transfers  – good news for the time being

7th January 2021

It’s good news, for the time being at least. The Government have given UK organisations who are processing personal data from the EU some breathing space.

They have announced that the treaty agreed with the EU will allow personal data to flow freely from the EU to the UK for another six months.

They are giving us this time to allow for an Adequacy Decision to be adopted.

If you are transferring personal data from the EU into the UK we advise that you use this time wisely.  Prepare.

What is an Adequacy Decision?

An Adequacy Decision basically means that the EU see the UK as a ‘safe place’ to transfer data into.  It means that they believe that we have an ‘adequate level of data protection’.  If they give us this decision it will mean that data can continue to flow freely from the EU to the UK so long as it’s standards are met, without additional regulatory compliance.

What is the process for getting an Adequacy Decision?

1) Firstly, a proposal is required from the EU.

2) Secondly, the European Data Protection Board (EDPB) will need to state it’s opinion.

3) Representatives from the EU Member states need to give their approval.

4) Finally, the decision needs to be adopted by the European Commissioners who proposed it.

Are we likely to get an Adequacy Decision?

At this point in time we simply don’t know.  Our Data Protection Legislation is very much in line with the GDPR, however there will be issues, most prominent of which is our surveillance culture.

However, if the UK isn’t given an adequacy decision, and we have very high standards, having only just departed the EU, where does that leave the rest of the world in terms of the EU granting adequacy decisions elsewhere?

It will also increase the legislative burden on EU organisations transferring data into the UK – does the EU want this extra pressure on their economy right now?

But the EU did declare the data sharing agreement known as the Privacy Shield with the US as invalid, so they are not afraid of upsetting the applecart.

So, our advice is that it’s a case of planning for the worst and hoping for the best.

Preparations you should be making now if you transfer data FROM the EU

1) Map your data flows.

2) Be very clear about any data flowing IN FROM THE EU.

3) Have the organisation that the data is coming in from, got an established base in the UK?  (this may help).

4) Amend all policies and procedures to reflect that the UK is no longer a member of the EU.

5) Consider putting in place Contractual Standard Clauses or Model Clauses (which will be required if we do not get an adequacy agreement).

The ICO have put together a webinar covering how the UK’s exit from the EU will change data protection law in the UK and the key things you need to do in order to keep data flowing at the end of the UK’s transition period out of the UK.  (It is this transition period that has just been extended).

For an independent legal appraisal, our specialist legal advisors have from Cordery Compliance have written an article here about this temporary data Brexit deal.

If you need any help or advice with any of the above, please do get in touch with the data protection specialists here at the Griffin House Consultancy.  Why not take advantage of our complimentary, no obligation, half hour consultation via Zoom?

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.