Content is continuously being updated as negotiations develop.

Let’s get started with a few questions

What is GDPR?

The GDPR is the General Data Protection Regulation. It sets out the key principles, rights and obligations for the processing of personal data. It applies to all EU/EEA members and therefore personal data can flow between member states as there is an automatic legal recognition of adequacy. 

What is adequacy?

Adequacy or and ‘adequacy decsison’ refers to a determination that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into.

The effect of such a decision is that personal data can flow from all EU States and the European Economic Area member countries (Norway, Liechtenstein and Iceland) to that non-EU country, without any further safeguards.

Can personal data continue to be moved with the subjects consent?

An individual customer’s explicit consent is sufficient to transfer their own data to a non-EEA state, provided the possible risks of such transfers for the data subject are clearly communicated within the privacy notice.

Click here for an example of an exception and is one of several scenarios where GDPR does not apply, however these exceptions are not typically suitable for mass exports of data.

What are the other derogations to GDPR?

The exceptions to GDPR are outlined in Article 49 and include; explicit consent, where the transfer is necessary for fulfilment of a contract; for important reasons of public interest, for the establishment, exercise or defence of legal claims, to protect the vital interests of the data subject, where a transfer is made from the public register.

These exceptions are not typically suitable for the mass export of data and some are limited to occasional or non-repetitive transfers. Click here for examples. 

What is a mitigation?

Mitigations are the actions a business will need to take to put in place appropriate safeguards to ensure the continued flow of data if the UK adopts third country status. For most SMEs, documentation known as Standard Contractual Clauses or SCCs will be the best way to keep data flowing between the EU and the UK.

What is a Standard Contractual Clause (SCC)?

Data controllers transferring data to a processor or controller in a non-EEA state will likely need to use Standard Contractual Clauses. Standard Contractual Clauses (SCCs) are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to.

• Both signatories must be compliant with GDPR

• The Information Commissioners Office (ICO) have tools and templates available to help businesses draft SCCs

https://ico.org.uk/for-organisations/data-protection-and-brexit/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/

Will I need a European representative?

For Northern Ireland businesses who processes the data of individuals in the EEA, but does not have a branch or establishment within the EEA, then you will likely need to appoint a European representative.

This will be a EEA representative within a state where some of the individuals whose personal data you are processing are located who are authorised to act on their behalf regarding their EU GDPR compliance.

• Likewise, EU businesses without a presence in the UK may need to appoint a representative in the UK to comply with the mirrored UK GDPR legislation.

https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-theres-no-brexit-deal/the-gdpr/european-representatives/

The position now 

GDPR is a European Regulation and will continue to apply to UK businesses until the end of the implentation period therefore personal data can continue to be shared between UK and EEA countries.

The position in 2021 

In 2021, after the implementation period, the transfer of personal data between the UK and Ireland will no longer be automatically compliant under the GDPR. The UK government has said that UK personal data can continue to flow into the EEA, but we do not know if personal data can continue to flow from the EEA to the UK. It is likely that one of the following scenarios will then apply. 

The EU may grant an ‘adequacy decision’

This means that the EU may decide that the UK has an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into and therefore data can continue to flow as it does presently. The UK has mirrored the GPDR into its domestic law so businesses will have to continue compliance, however this does not guarantee that an adequacy decision will be granted. The EU are currently considering whether an adequacy will be granted.

The UK may adopt ‘Third Country’ status under GDPR

This would mean personal data can only be transferred from the EEA to the EU under certain circumstances. This would apply to the transfer of data between Ireland and Northern Ireland.

What changes if the UK adopts ‘Third Country’ Status?

Data from the UK should still be able to flow to the EU as it does at present, as the UK government have stated they will unilaterally grant an “adequacy decision” to all EU/EEA countries. Data flowing from the EU to the UK will no longer be considered to have adequate protections and will therefore only be able to be transferred under certain conditions or with mitigatons in place.

What steps can I take now?

Be compliant

Ensure you are compliant with GDPR now.

Gain an understanding of your data 

Understand your international flows of personal data. Key transfers to identify will be from the EEA to the UK and consider how you may continue to receive these transfers lawfully in 2021. 

Take action

Review your privacy information and documentation to identify any changes that need to be made in 2021.

Male looking at a wall of pages