Brexit and data transfer: what has changed and how to keep your business GDPR-compliant

Brexit has brought many new challenges this year. While some of them may or may not have affected your business, the changes concerning data transfer between the EEA and the UK are something that every website operator must be prepared for in the future.

The Brexit transition period ended on 31 December 2020 and as part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as “the bridge”). In the meantime, an adequacy decision is being awaited.

This means that personal data transfers from the EU to the UK will be considered as data transfers to third countries. Without a European Commission adequacy decision for the UK, such transfers will require an appropriate safeguard to be in place in line with Article 46 of the EU GDPR, such as the Standard Contractual Clauses (“SCCs”) or binding corporate rules (“BCRs”), or codes of conduct and certification, or a derogation under Article 49 of the EU GDPR.

So what exactly is all of this? And most importantly, what’s next?

The EU-UK trade agreement set between the EU and United Kingdom states that there must be room for potential arrangements between the two governing bodies. Current EU GDPR regulations have passed through a stringent process to determine if they are in fact protecting people’s privacy – and the UK must determine the same.

Therefore, the adequacy decision would deem whether a country outside the EU offers an adequate level of data protection. If an adequacy decision is passed, then there can be a seamless data transfer flow between the UK and Germany. However, the ICO, the British Data Protection Authority, and the UK Minister of State for Media and Data continue to suggest that all businesses prepare for a no-adequacy end to the transition period.

If you are a UK business or organization that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow if the bridge ends without adequacy. This is relevant for any website operator with clients who are based in the EEA.

Therefore: If you have an established presence in the EEA, or if you have website visitors in the EEA, you need to comply with not only UK GDPR, but also with EU data protection regulations. This means that after the transition period ends, you may need to appoint a representative in the EEA, identify a lead supervisory authority in the EU, update any contracts governing EU–UK data transfers, update your policies, procedures and other documentation.

So let’s take a look at safeguards that should be in place prior to April 2021. Standard contractual clauses are one of a number of safeguards which can be used to comply, and the one most likely to be appropriate for small and medium-sized businesses.

SCCs are standard sets of contractual terms and conditions that the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR. In the vast majority of cases, this is best done by putting in place a contract between you and the sender on EU-approved terms, i.e. standard contractual clauses (SCCs).

Since both the EEA sender of the personal data and the UK recipient must comply with the GDPR rules, compliance plays an important role for both parties in order to ensure that the data continues to flow if the transition period ends without adequacy.

1. Consider your international data transfers, particularly from the EEA to the UK;

Ask yourself: Where are your website views coming from.

2. Consider whether appointing EU / UK representatives is now required.

Enabling a smooth consent handover requires data protection experts to be in the applicable country.

3. Update agreements, policies and notices to refer to UK GDPR where applicable.

Make sure your CMP contains detailed and granular information regarding the latest legal requirements.

While it may seem that there are many new and confusing changes, Data Privacy should not be one of them. With a Consent Management Platform (CMP), you can ensure that consent is still being collected and managed – keeping your website within GDPR regulations despite changing times. Key to keep in mind for website providers worldwide including the UK: any consent coming from EEA clients, must also be gathered.