From 1 January 2021, you will need to have in place additional safeguards when transferring personal data between the EEA and the UK. In this note, we set out our recommended approach and steps you can take now.
We know that after the end of the transition period, the UK will largely incorporate the existing EU derived data protection regime into its national law in the form of a ‘UK GDPR’. This is reassuring news for organisations that so recently worked to become GDPR compliant.
However, the devil is in the detail as another uncertainty is looming over the many data transfers which organisations rely upon to do business in Europe. From the 1 January 2021 the UK becomes a non-EEA country and transfers between the EEA and the UK will require an adequacy decision which will confirm whether the UK offers a sufficient level of protection for personal data.
At the time of writing, the European Commission has given no indication as to when this decision will be made. The uncertainty is of great significance because some organisations may find that the legality of day-to-day operations is called into question and are left with no choice but to scramble for a compliance solution.
Which day-to-day transfers may be affected?
Common examples will include any:
- HR systems used to process various types of employee data
- Any other systems used to process various types of customer data
which are either located or accessed between the EEA and the UK whether inside a group of companies or by third party service providers.
In order to avoid such a situation, in the absence of an adequacy decision, EEA and UK controllers and processors will need to ensure that appropriate safeguards are in place to ensure continuity of transfers and data flow to the UK.
Standard Contractual Clauses
The most common method of ensuring that there are appropriate safeguards will be through the use of standard contractual clauses (SCCs) and this is the Information Commissioner’s Office (ICO) recommended approach in these circumstances. Derogations may be applicable but are not a blanket solution.
Organisations need not wait until after Brexit to incorporate SCCs into existing agreements. These can be incorporated now on a conditional basis, so that the clauses will only come into effect in the absence of any further agreement between the UK and EU on data protection or in the event of a delay in the adequacy decision by the European Commission.
The SCCs offer some form of relief for organisations as they are a tangible measure they can take. However, they are not ‘one size fits all’ and may not be appropriate to all situations. Organisations will need to assess what is the right approach to suit their own processes and resources, and protect their interests.
If you want to find out more about SCCs and whether they are the right solution for your organisation, our data protection team is on hand to answer your questions.
The material contained in this guide is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.
© Miller Rosenfalck LLP, November 2020