With Brexit fast approaching, businesses are being urged to prepare. Regardless of whether there is no deal with the EU, preparation should include considering the steps needed to address terms related to the transfer of personal data between the UK and EU organisations. Data transfer will be impacted by the Brexit split as we will no longer be part of the European Economic Area (EEA).
At present, all countries within the EU are subject to the GDPR. The UK has some additional provisions within its own Data Protection Act, but fundamentally all EU countries are subject to the same rules. So what’s the problem? EU rules, which the UK will no longer be subject to, include restrictions on transferring data outside of the EEA, without appropriate safeguards or exceptions being in place. As the UK has not been authorised as a suitable destination (under an ‘adequacy decision’) for EU operations to send data to, this means that from January 2021 EU businesses will need to have these safeguards in place for dealing with UK businesses. This does not apply in reverse, as the UK has already confirmed that EU countries meet the requirements of UK legislation. So what can you expect?
What is an adequacy decision? This is a formal assessment by the EU that a non EEA organisation or state has adequate data protection provisions. Where one has been made for a country, data can be transferred to that country without further requirements. It is understood that an assessment is currently being undertaken but is yet to be confirmed. Until then, organisations in the EU may incorporate standard EU contractual clauses into dealings with UK businesses. Many UK businesses dealing with non EEA countries may already be familiar with these types of clauses. In particular, those dealing with the USA will know of the decision of the EU courts to revoke the adequacy decision in respect of the US privacy shield scheme, and should therefore already be incorporating the required provisions into data related contracts.
As a result, businesses may start to see additional or adjusted terms and conditions from EU hirers and suppliers. Although there is no obligation on a UK business to have these kinds of clauses in contracts with those parties, it would be good practice to suggest or include appropriate terms wherever it is felt that the EU party needs some help in that area. Indeed, having suitable organisational and technological protections in place as already required may again come into focus during contract negotiations.