GDPR Transitional Arrangements
Under the terms of the post-Brexit trade deal between the UK and the EU, data can continue to flow freely between the UK and the European Economic Area (EEA) until 30 April 2021, which can be extended until 30 June 2021 if required. This is sometimes referred to as the EU-UK data bridge.
For any business that relies on transferring data between the EEA and the UK, it is essential to understand how the bridge works, what is likely to happen once it ends and what you need to do.
How does the EU-UK data bridge work?
Essentially, it means that nothing has changed for UK-EEA data transfers until the bridge period ends. If your business needs to transfer data to the EEA or vice versa, you can currently continue to do so exactly as you did before the Brexit transition period ended.
What will happen when the EU-UK data bridge ends?
This depends in large part on the EU. They must make an ‘adequacy’ decision to decide whether the UK will be able to provide an equivalent level of data protection to that which exists within the EU.
If the EU decides that the UK meets this adequacy requirement, then the free flow of data should be able to continue. However, if the EU decided the UK does not meet this requirement or simply fails to make a decision before the bridge period ends, this could cause problems. At the very least, it will mean that transfers of data from the EEA to the UK will need to be carried out under EU GDPR rules.
What is the EU likely to decide about the UK’s data protection adequacy?
The European Commission published its draft decisions about the UK’s adequacy on 19 February 2021, finding the UK to be adequate. These decisions are now being reviewed by the European Data Protection Board (EDPB) and a committee representing the 27 EU Members, which will decide whether to legally declare that the UK meets the data protection adequacy standard.
There is no set deadline for the EU to make its adequacy decision, but it is likely to take several months at least. However, as the EU’s General Data Protection Regulation (GDPR) was incorporated into UK law in the Data Protection Act 2018, this should hopefully mean the UK will be found adequate.
What do UK businesses need to do to prepare for the end of the GDPR transitional arrangements?
There are various steps UK businesses that rely on the transfer of data between the UK and EEA will need to take. Key issues you need to be on top of include:
- Exactly what data is being transferred between the UK and EEA
- Which data was obtained before 1 January 2021 (this data will still be governed by EU GDPR rules if it relates to people who were outside of the UK) and which data was obtained after 1 January 2021 (and therefore will be subject to UK data protection laws)
- How your contracts, supplier agreements etc. will be affected by the end of the EU-UK data bridge and where amendments may be required
- Your regulatory obligations – including where you may have to start dealing with regulators within the EU rather than the UK’s Information Commissioner’s Office (ICO)
- Appointing a European representative to handle data relating to individuals in the EEA
Speak to our Company Commercial team for advice on GDPR transitional arrangements
To discuss GDPR transitional arrangements with our Company Commercial team, please get in touch.