Since leaving the EU, the UK has been in a transition period which will last until the end of 2020, to allow time for the UK to negotiate a new relationship with the EU.
During the transition period existing European laws which are part of UK law will continue to apply, including in respect of data protection under the General Data Protection Regulation (GDPR).
Whilst the outcome of negotiations between the UK and the EU remains uncertain for now, it is expected that GDPR will remain part of UK law.
Currently under GDPR, the transfer of personal data to countries outside of the European Economic Area (EEA) is restricted and can only take place if there is an adequacy decision issued by the EU (see below) or there are particular contractual terms in place, known as standard contractual clauses.
Once the transition period ends, the UK will no longer be classed as part of the EEA, and so personal data being shared to and from UK businesses will also be restricted under GDPR. So, what will options be for sharing personal data with other organisations in the EEA?
Adequacy Decisions
An adequacy decision is a finding by the European Commission that the laws in place in a certain country provide a similar level of data protection to that under GDPR. adequacy decisions are currently in place for countries such as Canada, Japan and New Zealand.
The UK is currently seeking an adequacy decision from the European Commission which would allow for personal data to continue to be passed to and from the UK to the EEA. However, at present it is not clear whether this will be granted, particularly given the current state of negotiations with the EU.
Standard Contractual Clauses
If there is no adequacy decision in place, then personal data could still be shared to and from the UK provided that there are standard contractual clauses (SCCs) in place. These are standard terms and conditions, approved by the European Commission, which a sender and receiver of personal data must both agree to and which ensure that there are contractual terms in place regulating the way that personal data is handled and stored.
What Can You Do Now to Prepare?
Given the risk that an adequacy decision may not be granted by the European Commission, our view is that businesses should now start to incorporate SCCs into their template contracts to be used going forward, to prevent any delay in personal data being able to be passed to and from the EEA.
Existing contracts that are likely to continue after the end of the transition period should also be reviewed and SCC’s entered into.
If you require any assistance or further information regarding how GDPR may affect your business, please contact us on 0345 656 0406 or fill in our online enquiry form and a member of our Team will be in touch.