GDPR, Brexit and the Adequacy Decision
Subject to approval from the European Parliament, the UK will formally leave the EU on 31 January with a withdrawal deal and will enter a transition period until 31 December 2020.
With this in mind, where does that leave the UK from a data protection perspective and what steps, if any, do organisations need to take in preparation for the exit.
The key factor in determining what steps to take (or indeed not to take) centres around the GDPR’s ‘adequacy’ decision. Currently, personally identifiable information (PII) can be freely transferred between the UK and EU countries. Once the UK is no longer part of the EU, it will
be classed as a ‘third country’ and will not automatically benefit from this free flow of information and will need to be seek adequacy status.
This status is granted by the European Commission to countries outside of the European Economic Area (EEA) which offer levels of data protection that are essentially equivalent to that within the EU. This, in effect, facilitates the free flow of information without additional safeguards being required.
There is a school of thought that the adequacy decision will be included within a trade deal and, if this is correct, that deal will need to be concluded by the end of the year. This seems ambitious, although not insurmountable. That said, it is not clear to what extent the adequacy decision and the trade talks are bound together.
The UK has stated, on record, that it is ready to begin discussions on data adequacy now whilst still a member state, but the Commission has been reluctant to start before the terms of the UK’s withdrawal have been settled. Either way, a decision on adequacy cannot be taken until the UK is a third country.
The UK Government has said that it will allow UK data to flow freely in an attempt to minimise disruption if a decision isn’t reached, however, the EU has made it clear it will not reciprocate and will treat the UK, under the Chapter 5 provisions, as a third country until a decision on adequacy is made. Transfers of EEA data to the UK would still be possible, but only where additional legal safeguards had been implemented.
So, with all these ifs, buts and maybes flying around, what should an organisation be doing other than monitoring developments and keeping a close eye on whether the adequacy decision is included within a trade deal or being dealt with separately?
We would recommend you follow the good old Baden Powell motto – ‘Be Prepared’ and use the time to understand where you may be exposed and where you will need to incorporate model contract clauses or other additional measures. You also need to understand who you are sharing PII with, their compliance status and what information is being shared within the EU.
NEED TO SPEAK TO A DATA PROTECTION SPECIALIST?
For information on how URM can assist your organisation, through both consultancy and training services, to improve your compliance with the GDPR and the DPA 2018