Brexit: How the UK’s departure from the EU affects data transfers

On January 31, 2020, the United Kingdom withdrew from the European Union, creating a tricky situation regarding the EU GDPR (General Data Protection Regulation).

As the GDPR is an EU regulation, the UK will no longer be subject to it once the Brexit transition period ends on 31 December 2020. As you might expect, it’s obviously not as cut and dry as this, particularly when it comes to organizations transferring personal data between the UK and the EU.

Fortunately, the solution is quite simple, as under Articles 44–50 of the GDPR personal data can be transferred out of the EU using a handful of approved methods.

Transfers on the basis of an adequacy decision

The Regulation states that the European Commission “has the power to determine […] whether a country outside the EU offers an adequate level of data protection.”

If so, that country’s data protection laws are considered a safe haven for EU residents’ data, and, as such, the data can be freely transferred there.

However, this transfer mechanism only applies if the data goes between the “adequate” countries, and nowhere else.

As an adequacy decision is yet to be reached in respect of the UK, this transfer mechanism cannot work. A decision could come during the transition period, but we wouldn’t rely on that, given the limited time available. Organizations should therefore seek an alternative method.

You can find a list of countries currently deemed adequate by the European Commission here.

Binding corporate rules

As the name suggests, BCR (binding corporate rules) act as internal guidelines that are legally enforceable by every member of a corporate group.

However, the rules only apply to that corporate group. As such, while they may be useful for intracompany transfers, binding corporate rules do not help when data needs to be transferred between different entities.

It’s also worth noting that the ICO will no longer be a GDPR supervisory body after the transition period, so its BCRs will no longer be valid.

UK organisations will therefore have to use BCRs approved by a supervisory authority in the remaining 27 EU member states.

Standard contractual clauses

Typically, transfers subject to appropriate safeguards take place under standard contractual clauses adopted by the European Commission.

According to the ICO (Information Commissioner’s Office), the UK’s data protection authority, “the UK government intends to recognise [European Commission]-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK.”

Consequently, organizations that have data processing agreements with European Commission standard contractual clauses in place can continue relying on them to effectuate data transfers from the EU to the UK and elsewhere.

UK organizations need an EU representative

Like any other organization that is based in a third country and provides services into the EU, UK organizations now need an EU representative.

If you’d previously been using the UK as your connection to the EU, you’ll now need to find a replacement.

Fortunately, IT Governance USA’s GDPR EU Representative service can help.

As your appointed EU representative, we’ll:

  • Register our EU address as your GDPR representative address
  • Act as the point of contact on all issues related to your personal data processing activities
  • Act as first point of contact for communications received from EU-based data subjects in relation to data subject rights requests and other general GDPR-related inquiries
  • Act as first point of contact for communications received from EU supervisory authorities and liaise with them on all matters pertaining to the GDPR, e.g. responding to data subject rights complaints and personal data breach reporting
  • Hold a record of your processing activities and make these available to the data protection authorities at their request
find out more