Brexit update: what the trade deal means for UK businesses
Will Brexit ever end?
As you may be aware, prior to the end of 2020 there was a lot of debate about what would happen to GDPR on 1st January. Given that the trade negotiations went down to the wire, we were all left in the dark until the deal was done on Christmas Eve. But what are the main headlines from this deal and, more importantly, what do they mean for UK businesses?
Probably the most important outcome of the deal is that data transfers can continue, both from UK to EU and from EU to UK, for at least another 4 months. There’s also the possibility that this could be extended to 6 months. Whilst the UK Government had already advised UK businesses that they could continue to transfer personal data from the UK to the EU, there was no such agreement transferring EU data to the UK. This deal has thankfully changed that, meaning that bilateral data transfers are guaranteed for 4-6 months.
During this time the UK attempts to achieve a so-called ‘adequacy decision’ that will allow data transfers to continue after this 6-month period without the need for any additional safeguards. In simple terms, an adequacy decision is where the EU looks at our data protection regulations and determines if they’re good enough to be considered ‘safe’. Whilst the industry is hopeful that an adequacy decision will be achieved, there’s no guarantee. In case this happens, ICO is advising UK companies to use the 4-6 month breathing space to prepare for a bad outcome.
Preparing for the worst
There are two options for dealing with a situation where an adequacy decision is not made, namely Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). In order to do either of these, there’s a certain amount of work you need to do up-front, notably making sure you’ve mapped your data flows. This is so you fully understand inter-company and intra-company data transfers from the EU to the UK.
Standard Contract Clauses can be a straight-forward solution and apply to both inter-company and intra-company transfers. But they come with a word of warning: there are some new versions of the contract clauses currently awaiting adoption by the European Commission. It’s anticipated this will happen in the first few months of 2021, so you may want to wait for the new versions to come out before implementing SCCs.
Larger enterprises may elect to go the other route and use Binding Corporate Rules to transfer personal data between branch offices in the EU and the UK. However, BCRs are strictly for intra-company transfers only – they don’t apply to transferring personal data between companies. These too come with a word of caution: the ICO is no longer be able to approve BCRs. Instead, your BCRs will need to be approved by a supervisory authority from within the EU.
Whilst transfers take up most of the Brexit headlines, they’re not the only concern. One other area which has caused confusion following the announcement of the trade deal is the need for EU Representation. Many people mistakenly think that because the trade deal has given us a stay of execution on data transfers, this also applies to the need for EU Representation. That’s not the case. If you are offering goods and services in the EU, or monitoring data subject’s behaviour in the EU, you will need to appoint an EU Representative. They need to be physically based within the Union, and you’ll also need to make sure their contact details have been added to your privacy notices and that they have a copy of your records of processing.
Get help with your data protection
Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.Learn more
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.