Adequacy or and ‘adequacy decsison’ refers to a determination that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into.

The effect of such a decision is that personal data can flow from all EU States and the European Economic Area member countries (Norway, Liechtenstein and Iceland) to that non-EU country, without any further safeguards.

An individual customer’s explicit consent is sufficient to transfer their own data to a non-EEA state, provided the possible risks of such transfers for the data subject are clearly communicated within the privacy notice.

Click here for an example of an exception and is one of several scenarios where GDPR does not apply, however these exceptions are not typically suitable for mass exports of data.

The exceptions to GDPR are outlined in Article 49 and include; explicit consent, where the transfer is necessary for fulfilment of a contract; for important reasons of public interest, for the establishment, exercise or defence of legal claims, to protect the vital interests of the data subject, where a transfer is made from the public register.

These exceptions are not typically suitable for the mass export of data and some are limited to occasional or non-repetitive transfers. Click here for examples. 

Mitigations are the actions a business will need to take to put in place appropriate safeguards to ensure the continued flow of data if the UK adopts third country status. For most SMEs, documentation known as Standard Contractual Clauses or SCCs will be the best way to keep data flowing between the EU and the UK.

Data controllers transferring data to a processor or controller in a non-EEA state will likely need to use Standard Contractual Clauses. Standard Contractual Clauses (SCCs) are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to.

• Both signatories must be compliant with GDPR

• The Information Commissioners Office (ICO) have tools and templates available to help businesses draft SCCs

https://ico.org.uk/for-organisations/data-protection-and-brexit/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/

For Northern Ireland businesses who processes the data of individuals in the EEA, but does not have a branch or establishment within the EEA, then you will likely need to appoint a European representative.

This will be a EEA representative within a state where some of the individuals whose personal data you are processing are located who are authorised to act on their behalf regarding their EU GDPR compliance.

• Likewise, EU businesses without a presence in the UK may need to appoint a representative in the UK to comply with the mirrored UK GDPR legislation.

https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-theres-no-brexit-deal/the-gdpr/european-representatives/

This would mean personal data can only be transferred from the EEA to the EU under certain circumstances. This would apply to the transfer of data between Ireland and Northern Ireland.

Data from the UK should still be able to flow to the EU as it does at present, as the UK government have stated they will unilaterally grant an “adequacy decision” to all EU/EEA countries. Data flowing from the EU to the UK will no longer be considered to have adequate protections and will therefore only be able to be transferred under certain conditions or with mitigatons in place.