When the UK leaves the EU on 29th March 2019 the GDPR will already have become law in every other EU member state.
The regulations governing the international transfers of personal data are set out in Chapter V of the GDPR. It stipulates that, for the purposes of data transfers abroad, any country that is not part of the European Union must be treated as a ‘third country’.
Transfers of personal data from organisations within the EU to organisations within third countries are subject to additional restrictions. Specifically, an organisation within the EU may not transfer personal data to a ‘third country’ unless;
- the EU has conferred that country with ‘adequacy status’ (i.e. the EU has formally recognised that state as offering an adequate level of protection to personal data).
- the organisation the data Is being transferred to has put adequate safeguards in place to protect that data.
As the UK is still currently part of the EU, these restrictions don’t affect European organisations who transfer personal data to us at the moment. However, when the UK leaves the EU it will become a ‘third country’ for the purposes of the GDPR and those restrictions will come into play. UK organisations will therefore need to start looking for ways to ensure that the flow of data from their EU suppliers, subsidiaries and customers continues uninterrupted after Brexit.
It might not be prudent to pin all hopes on the UK getting an adequacy decision from the EU. In the first instance, it is not entirely clear how long the UK would have to wait for an adequacy decision, or even if that decision would go in the UK’s favour. Consider that the European Commission has previously voiced concerns about the UK’s perceived failure to properly implement the Data Protection Directive (on which our current Data Protection Act is based). If those concerns are not addressed by the UK’s implementation of GDPR, then any adequacy decision may prove to be elusive.
This being the case, it seems more likely that UK organisations will have to meet the adequate safeguard requirements of the GDPR if they are to continue exchange data with organisations in the EU, and they should therefore start planning now make sure that they have adequate safeguards place in time for Brexit.
Article 46 of the GDPR sets out several potential routes UK organisations could take to demonstrate that adequate safeguards are in place. Of these routes, their most straightforward option is likely to be to incorporate EU approved standard contractual clauses into existing data sharing agreements with their EU partners.
So, our advice to UK organisations is engage with your EU subsidiaries, suppliers and customers early. Agree on a contingency plan to put revised versions of your existing data sharing/processing agreement (with the appropriate clauses included) into force in the event the UK doesn’t achieve adequacy status after Brexit.
If you don’t address this issue promptly then your EU partners may start to make contingency plans of their own…to stop sharing data with you and conduct their business somewhere else.