Since the inception of GDPR, data flow has been a significant and often time consuming aspect of running a business successfully. Whether it’s the handling of employee data, or that of customers, it’s important that all regulations are adhered to, to avoid any potential fines.
Since the UK officially completed its separation from the EU on 31 December 2020, many business owners have been concerned about how this will impact data flow between the UK and EU. Here Phil Parkinson, Head of Commercial law at Blacks Solicitors, discusses what businesses need to know when it comes to understanding data flow in a post-Brexit world.
After Brexit, there has been serious concern that data flow between the UK and the EU would be seriously hampered, meaning a stifled and difficult process for businesses.
The UK had already decided pre Brexit that the UK to EU data adhered to GDPR regulations as this had been implemented, however we were waiting for the EU to decide whether data transfer from the UK to EU was deemed adequate and could flow as before.
At the time of writing, the EU has decided that the UK is an adequate country and therefore data may flow freely between the two. This is the latest stage in an ongoing process and the approval should allow the European Commission to formally adopt the decision.
However, there have been challenges to this being adopted; for example MEP’s urged a rethink on the decision, citing concerns about how the UK would use data in the future. As an example, the case of ‘Schrems II’ in 2020 highlights the significant concerns (as much political as legal) that there is mistrust between countries and they are wary of how their residents’ data is being used.
Post Brexit, the EU laws relating to GDPR will now not apply in the UK. However, with so much work having gone into GDPR compliance in 2018, there is now ‘UK GDPR’ which has been incorporated into UK law alongside the Data Protection Act 2018.
UK businesses will be covered by the UK data protection regime and only minor tweaks to policies and documents are likely to be required, such as taking out now outdated references to the EU.
The UK government has stated that data transfers to the EEA (European Economic Area) are not restricted, so data can still be sent from the UK to the EEA.
If your organisation operates in the EEA, you need to comply with both UK and EU data protection regulations. You may also need to appoint a representative in Europe and take note of, and follow the EU’s adequacy decision process.
As long as businesses continue to be in compliance with EU GDPR regulations, then the transition should be seamless. In fact it’s in the interests of the government, business and the economy to keep it as smooth as possible. However, if your business is reliant on EU data flows, it’s worth keeping an eye out for any changes in the law.
In May 2021, The Information Commissioner’s Office (ICO) announced that it’s working on bespoke UK standard contractual clauses for international data transfers, replacing the EU Standard Contractual Clauses.
As quoted by ICO Deputy Commissioner, Steve Wood, “I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer.
We’re also considering the value to the UK for us to recognise transfer tools from other countries, so standard data transfer agreements, so that would include the EU’s standard contractual clauses as well.”
No, but every business should consider any sector driven advice. Remember that data flows don’t necessarily go in a logical path. If there are servers in the EU for instance, each business needs to consider how they may be affected and take advice accordingly.