Brexit update: what the trade deal means for UK businesses

Nicky Whiting Headshot
Nicky Whiting
Managing Director
19th February 2021

Will Brexit ever end?

As you may be aware, prior to the end of 2020 there was a lot of debate about what would happen to GDPR on 1st January. Given that the trade negotiations went down to the wire, we were all left in the dark until the deal was done on Christmas Eve. But what are the main headlines from this deal and, more importantly, what do they mean for UK businesses?

Bilateral data transfers are guaranteed for 4-6 months.

Data transfers

Probably the most important outcome of the deal is that data transfers can continue, both from UK to EU and from EU to UK, for at least another 4 months. There’s also the possibility that this could be extended to 6 months. Whilst the UK Government had already advised UK businesses that they could continue to transfer personal data from the UK to the EU, there was no such agreement transferring EU data to the UK. This deal has thankfully changed that, meaning that bilateral data transfers are guaranteed for 4-6 months.

During this time the UK attempts to achieve a so-called ‘adequacy decision’ that will allow data transfers to continue after this 6-month period without the need for any additional safeguards. In simple terms, an adequacy decision is where the EU looks at our data protection regulations and determines if they’re good enough to be considered ‘safe’. Whilst the industry is hopeful that an adequacy decision will be achieved, there’s no guarantee. In case this happens, ICO is advising UK companies to use the 4-6 month breathing space to prepare for a bad outcome.

Data traveling through data Cables

Preparing for the worst

There are two options for dealing with a situation where an adequacy decision is not made, namely Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). In order to do either of these, there’s a certain amount of work you need to do up-front, notably making sure you’ve mapped your data flows. This is so you fully understand inter-company and intra-company data transfers from the EU to the UK.

Standard Contract Clauses can be a straight-forward solution and apply to both inter-company and intra-company transfers. But they come with a word of warning: there are some new versions of the contract clauses currently awaiting adoption by the European Commission. It’s anticipated this will happen in the first few months of 2021, so you may want to wait for the new versions to come out before implementing SCCs.

Larger enterprises may elect to go the other route and use Binding Corporate Rules to transfer personal data between branch offices in the EU and the UK. However, BCRs are strictly for intra-company transfers only – they don’t apply to transferring personal data between companies. These too come with a word of caution: the ICO is no longer be able to approve BCRs. Instead, your BCRs will need to be approved by a supervisory authority from within the EU.

A contract being signed

EU Representation

Whilst transfers take up most of the Brexit headlines, they’re not the only concern. One other area which has caused confusion following the announcement of the trade deal is the need for EU Representation. Many people mistakenly think that because the trade deal has given us a stay of execution on data transfers, this also applies to the need for EU Representation. That’s not the case. If you are offering goods and services in the EU, or monitoring data subject’s behaviour in the EU, you will need to appoint an EU Representative. They need to be physically based within the Union, and you’ll also need to make sure their contact details have been added to your privacy notices and that they have a copy of your records of processing.

EU flag with GRPR in the centre
If you are offering goods & services in the EU, or monitoring data subject’s behaviour in the EU, you will need to appoint an EU Representative.
Summary card header

In Summary

Though the trade deal was reached at the last minute, UK businesses have been given 4-6 month breathing room in which to start preparations for a variety of eventualities. Whilst we once again wait with uncertainty, this time to see if an adequacy decision will be reached, wise business leaders will be putting wheels in motion to prepare for either outcome, most likely in the form of SCCs and/or BCRs.

Nicky Whiting Headshot

Meet the author

Nicky Whiting Managing Director

As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.

Get help with your data protection

Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.