The impact that Brexit would have on UK businesses was always unclear, and it still is even though the transition period has ended. One undecided issue is the restrictions around data transfers to and from the EU, but we at least know more about the potential outcomes, and UK businesses can start preparing.
The UK already has GDPR so, why do I need a guide?
Unfortunately, it’s not quite that simple. Back in 2019 the UK Government did a copy/paste of the EU GDPR into the UK data privacy act and created something called ‘the UK GDPR’. It’s effectively the same set of rules but under the complete control of the UK government. So in theory, over time, the UK can diverge from the EU GDPR if it doesn’t like certain new rules or regulations.
Divergence is a double-edged sword. While it could mean simpler rules for British businesses in the future, if we deviate too far from the original GDPR text, the EU may decide we’re ‘non-adequate’ and restrict the free flow of personal data.
We got Brexit done. Where does that leave data transfers?
While the UK was still part of the EU, as long as companies remained compliant with GDPR, they were free to store or transfer personal data across member states. In other words, British personal data could be stored on servers in France, and French personal data could be stored on servers in the UK.
Throughout 2020 (during the ‘transition period’), the EU agreed with the UK that this arrangement could continue, but all bets would be off come the 31st December 2020. This is because on the 1st January the UK became a ‘third country’ – a rather confusing name given to all countries outside the EEA.
European Economic Area (EEA): EU member states, plus Iceland, Liechtenstein and Norway
As a ‘third country’, any transfers of personal data would now count as ‘international transfers’ rather than ‘cross-border transfers’.
Third countries. International Transfers. This is confusing! What does this mean for UK businesses?
So the bad news is that ‘international transfers’ are only allowed in four scenarios:
- If the EU has issued an ‘adequacy’ decision - We’ll go into this in more detail later, but in short it means the EU rubber stamps a country as having high enough data privacy standards for it to be part of its GDPR club.
- If appropriate ‘alternative safeguards’ are in place - These are usually organised by a company and the main two mechanisms are BCRs (binding corporate rules) and SCCs (standard contractual clauses).
- If there is ‘an approved code of conduct’ - No code has been agreed so you can ignore this one.
- If an extension is granted to the UK.
Option 4 is what was decided as on the 30th December 2020 as part of the Trade and Cooperation Agreement (TCA) and came into effect on the 1st January 2021. This agreement effectively extended the transition period for data transfers for up to 6 months. Hurrah!
Wait. What happens on June 30th 2021?
All legacy data transfer agreements between the UK and EU run out. If the EU doesn’t grant the UK a positive adequacy decision by then (and you don’t have BCRs or SCCs in place) it will be illegal to store, process or transfer EU personal data in the UK.
BCRs (Binding Corporate Rules) and SCCs (Standard Contractual Clauses) are data transfer mechanisms companies can put in place that allow them to transfer personal data internationally when no other data transfer agreements are in place.
That’s going to be a disaster! Why isn’t this front-page news?
Mainly because most big companies that have the legal resources available, have already sorted themselves out with a BCR or SCC. Small and medium sized businesses for the most part aren’t even aware of this problem.
Is there ANY good news?
Yes. As stated above, as long as you were GDPR compliant before Brexit, UK businesses do not need to make any changes in the immediate future.
Whilst many commentators will point out that the fastest time the EU has made an adequacy decision was 18 months (with Argentina), the UK is a special case. Not only would a breakdown in the free flow of data be hugely disruptive to both UK and EU businesses, but the UK has effectively got (at present) a copy/paste version of GDPR baked into British privacy regulations.
Therefore, the probability of an adequacy decision being made before the 30th June is pretty high. But nothing is guaranteed, so for a belt and braces approach we would recommend UK businesses look into setting up a BCR or SCC.
If you are a UK business with just UK clients, the safest option is to review where your data is physically stored to make sure it is based in (you guessed it) the UK. If you’re using a cloud storage solution, it might be difficult to find exactly where your data is stored. If you want advice on alternative cloud solutions from a 100% UK-based cloud provider, check out our services and get in touch.