GDPR in the Post Brexit Age - what you need to do

Data flows after Brexit

The Brexit transition period ended on 31st December 2020. After that date, the UK became a Third Country in the eyes of the EU and thus transfers of personal data need to be looked at differently. Transfers of personal data from the EU to a Third Country are required under the GDPR to be protected by safeguards in order to ensure “essential equivalence” with EU data protection standards. There are various options in order to comply, as follows:

  • An adequacy decision in favour of the Third Country, awarded by the EU, indicating that the data protection regime of that Third Country offers equivalent protection to individuals to that offered under EU regulations
  • Standard Contractual Clauses (SCCs) approved by the EU which commit data exporters and importers to agreed, robust standards of protection
  • Binding Corporate Rules (BCRs) which can be used by companies for international data transfers between their entities
  • Certain derogations which I won’t go into here because they can only be used in exceptional circumstances

It was always unlikely that the UK would secure an adequacy decision by 31st December, and there was concern that any business offering goods or services, or monitoring the behaviour of EU individuals, would need to implement SCCs immediately after 31st December.

The good news is that under the UK-EU Trade Agreement finalised on 24th December, whilst adequacy was not awarded, the EU has allowed a grace period of 4 months from 1st January (which can potentially be increased to 6 months and most likely will be) whereby personal data can continue to flow freely from the EU to the UK without the need for further safeguards. The grace period (known in the agreement as the ‘specified period’) will end sooner if an adequacy decision is awarded within the 4/6 months. The UK government has already agreed that data can continue to flow freely from the UK to the EU.

Notwithstanding the above ‘breathing space’ there is no certainty that the EU will award the UK an adequacy decision anytime soon, as they have concerns regarding UK government access to personal data, and there is also some concern that organisations could potentially use the UK as a ‘back-door’ into the USA, thus circumventing the Schrems 2 ruling. Indeed, the Information Commissioners Office (ICO) has stated on 28th December that “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data”. By “alternative transfer mechanisms” in most cases we can read this as SCCs.

What to do

It would therefore be sensible for any organisations that offer goods or services or monitor the behaviour of EU individuals to get SCCs in place as soon as possible. Just to clarify what is meant by “monitoring behaviour” Recital 24 of the GDPR states that “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

Our advice for any companies meeting the above criteria is to prepare SCCs, make some minor adjustments to your documentation to reflect changes in the legislative landscape e.g., the Data Protection Act 2018 and the UK GDPR so that you are well prepared and fully compliant.

If you require help with your data protection compliance including preparation of SCCs, then feel free to contact us.

[email protected] or [email protected] or 07887 524507

Written by Nick Richards, our DPO. For further info on our Data Protection Officer Service click here: https://hunningsconsultancy.co.uk/dpo-service-data-protection-officer/

Whilst on this page may we invite you to take a look at our other services (see the drop downs at the top of this page). We provide all round Business Support for Law Firms, everything to allow a busy partner to get on with the client work. We have assisted over 350 law firms, direct access barristers and in house-legal. Everything from Compliance to on your Case Management System (LEAP, Proclaim & Clio), from Mentoring to Setting Up a New Law Firm. Ask about running your firm and we're probably able to help. 07887 524507 or [email protected].

"We at Spires Legal wholeheartedly recommend Ingemar and his team at Hunnings Consultancy Ltd. Ingemar has supported us throughout our journey from new start up to established firm. It is refreshing to have a consultant that takes the time to understand your business and its priorities, stands by your side as it develops and is flexible in approach as your needs change.
The feedback we have from our team, and which we regularly hear from others is that Ingemar is an insightful and knowledgeable trainer who is comprehensive yet engaging in his approach. Still unsure? Five minutes on the phone with Ingemar and you will be sold on how much value he can add to your business!"

Arj Arul - Director at Spires Legal

Click here to see more testimonials

Business Support for Law Firms

We will get back to you within 24 hours. For more information and to discuss how our service can work for you;
Call: 07887 524 507 
Fill out our contact form
Send us an email:
[email protected] 
We look forward to speaking to you...

How Can We Help You?

Contact Form Demo (#1)

WHY COMPANIES CHOOSE US

Quality services, in a timely & efficient manner for a reasonable fee. Assisting clients since 2014 as their Trusted Advisers on matters relating to the running of their Business.
list-altphone-squaretwitterfacebookenvelopelinkedininstagramgoogle