Brexit Update: What The Trade Deal Means for UK Businesses

Nicky Whiting Headshot
Written by Nicky Whiting  Head of Compliance

19/02/2021

Will Brexit ever end?

As you may be aware, prior to the end of 2020 there was a lot of debate about what would happen to GDPR on 1st January. Given that the trade negotiations went down to the wire, we were all left in the dark until the deal was done on Christmas Eve. But what are the main headlines from this deal and, more importantly, what do they mean for UK businesses?

Bilateral data transfers are guaranteed for 4-6 months.

Data transfers

Probably the most important outcome of the deal is that data transfers can continue, both from UK to EU and from EU to UK, for at least another 4 months. There’s also the possibility that this could be extended to 6 months. Whilst the UK Government had already advised UK businesses that they could continue to transfer personal data from the UK to the EU, there was no such agreement transferring EU data to the UK. This deal has thankfully changed that, meaning that bilateral data transfers are guaranteed for 4-6 months.

During this time the UK attempts to achieve a so-called ‘adequacy decision’ that will allow data transfers to continue after this 6-month period without the need for any additional safeguards. In simple terms, an adequacy decision is where the EU looks at our data protection regulations and determines if they’re good enough to be considered ‘safe’. Whilst the industry is hopeful that an adequacy decision will be achieved, there’s no guarantee. In case this happens, ICO is advising UK companies to use the 4-6 month breathing space to prepare for a bad outcome.

Data traveling through data Cables

Preparing for the worst

There are two options for dealing with a situation where an adequacy decision is not made, namely Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). In order to do either of these, there’s a certain amount of work you need to do up-front, notably making sure you’ve mapped your data flows. This is so you fully understand inter-company and intra-company data transfers from the EU to the UK.

Standard Contract Clauses can be a straight-forward solution and apply to both inter-company and intra-company transfers. But they come with a word of warning: there are some new versions of the contract clauses currently awaiting adoption by the European Commission. It’s anticipated this will happen in the first few months of 2021, so you may want to wait for the new versions to come out before implementing SCCs.

Larger enterprises may elect to go the other route and use Binding Corporate Rules to transfer personal data between branch offices in the EU and the UK. However, BCRs are strictly for intra-company transfers only – they don’t apply to transferring personal data between companies. These too come with a word of caution: the ICO is no longer be able to approve BCRs. Instead, your BCRs will need to be approved by a supervisory authority from within the EU.

A contract being signed

EU Representation

Whilst transfers take up most of the Brexit headlines, they’re not the only concern. One other area which has caused confusion following the announcement of the trade deal is the need for EU Representation. Many people mistakenly think that because the trade deal has given us a stay of execution on data transfers, this also applies to the need for EU Representation. That’s not the case. If you are offering goods and services in the EU, or monitoring data subject’s behaviour in the EU, you will need to appoint an EU Representative. They need to be physically based within the Union, and you’ll also need to make sure their contact details have been added to your privacy notices and that they have a copy of your records of processing.

EU flag with GRPR in the centre
If you are offering goods & services in the EU, or monitoring data subject’s behaviour in the EU, you will need to appoint an EU Representative.
Summary card header

In Summary

Though the trade deal was reached at the last minute, UK businesses have been given 4-6 month breathing room in which to start preparations for a variety of eventualities. Whilst we once again wait with uncertainty, this time to see if an adequacy decision will be reached, wise business leaders will be putting wheels in motion to prepare for either outcome, most likely in the form of SCCs and/or BCRs.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.