GDPR is just the start
Most of us have found it hard to get away from GDPR in 2018. Unfortunately, despite the fact that the UK enacted in national law the various requirements of GDPR, it does not mean that there will continue to be an uninterrupted flow of personal data after Brexit. Firms should be considering carefully how they will handle the movement of personal data after Brexit, particularly if they have offices and data storage facilities in Europe.
Securing an ‘adequacy decision’ is vital
To avoid disruption to cross-border data flows the UK needs to obtain an ‘adequacy decision’ from the EU. This ensures that personal data can flow from the EU to non-EU countries without any further safeguards. Adequacy decisions are granted if the country in question has an adequate level of protection for personal data. Without this in place GDPR then imposes restrictions on the transfer of data. Firms would face the onerous prospect of new contractual clauses and Binding Corporate Rules to meet EU standards. Given that 75% of the UK’s data transfers are with EU Member States this would add considerable friction to cross-border business operations.
The UK is seeking more than just an ‘adequacy decision’, in particular asking to sit on the European Data Protection Board (EDPB) and for UK firms with operations in multiple EU countries to be able to choose a Lead Supervisory Authority to deal with. However, this has already been rebuffed by the EU’s Chief Negotiator, who stressed that the only option available to the UK is an ‘adequacy decision’.
Keeping the data flowing
Businesses will be rightly concerned by this turn of events because even obtaining an ‘adequacy decision’ cannot be taken for granted by the UK and slow decision making in the EU means that achieving an agreement could take years. The European Court of Justice has also ruled that the UK’s domestic surveillance powers need amending to be compliant with EU law. Additionally, when the UK leaves the EU it will leave the EU-US Privacy Shield arrangement, which raises concerns generally about the ‘onward transfer’ of data that the UK will have with other third countries.
It is not impossible for the UK to address the EU’s concerns and, at the very least, secure an ‘adequacy decision’. The UK must start now on the EU’s adequacy assessment process and prioritise a transition period for preexisting arrangements to ensure that businesses across Europe aren’t presented with yet another unnecessary challenge to their standard operations.