Many organisations have been getting in touch worried about whether they can still transfer data to and from the EU, especially between group companies, now that the UK has left the EU.
Firstly, GDPR is here to stay as although it originally originated from the EU, it has now been adopted into English law.
Secondly, for four months personal data can continue to be transferred between the EU and the UK without any restrictions (this period is referred to as ‘The Bridge’). The Bridge may be extended up to six months (i.e. until 30 June 2021). In the meantime, it is hoped that the EU will decide that the UK’s data protection laws provide adequate protection and allow the transfer of data from the EU to the UK without any further restrictions. However, this is not guaranteed. Conversely it has already been agreed that personal data from the UK can be transferred to the EU freely.
Due to the risk that an agreement won’t be reached to allow the unrestricted transfer of personal data from the EU to the UK, many organisations are therefore considering what steps, if any, to take now, especially if the transfer of such data is critical to their business. The ICO has recommended that businesses put in place back-up plans by the end of April, just in case a deal cannot be agreed.
If your organisation is potentially caught up by this, we can advise you on how you might best protect your business, based on your particular circumstances. However, one option is to incorporate EU approved Standard Contractual Clauses (SCCs) into data sharing agreements; for example an organisation could put a data sharing agreement in place between its EU and UK entities which contains such provisions.
It is worth bearing in mind however that the SCCs themselves are currently under review by the European Commission and we expect that new clauses may be approved in March/April 2021. The new SCCs will permit a wider category of data transfer than currently exists, so this represents a positive change. Organisations will have 12 months to implement the new SCCs from the date of their approval, so those organisations that rely on SCCs to transfer data internationally will need to be ready to implement changes within 12 months.
In light of the fact that the new SCCs may be approved for use next month and the potential risk that the transfer of personal data from the EU to the UK will be restricted from 1 July 2021, we recommend that organisations (who transfer data internationally) should conduct a data flow audit. This audit will enable the organisation to identify what type of data is being transferred, the reason for the transfer, and where the data is being transferred to and from i.e. which organisations and which countries; in addition, identifying any existing SCCs being used. If you need support in conducting the audit please get in touch. Once you have completed the audit, we can assist you analyse the results and ensure you have a strategy and appropriate safeguards in place as necessary.
This is only intended to be a summary and not specific legal advice. If you would like further information or advice, please do contact a member of our team.
Selene Holden | (firstname.lastname@example.org ~ 01284 717436)
Andrew Cooper | (email@example.com ~ 01284717499)
Greg Jones | (firstname.lastname@example.org ~ 01284 717446) or
Angharad Ellis Owen | (email@example.com ~ 01284 717453)
For more information on the services offered by Greene & Greene Solicitors please visit www.greene-greene.com and you can also follow on Twitter @GreeneGreeneLaw.