Under the General Data Protection Regulation (GDPR), the transfer of personal data outside the EU is only allowed to countries that the European Commission deems to provide an “adequate” level of personal data protection. In a notice issued on 9 January 2018, the Commission reminded all parties that the UK will become a third country post-Brexit (March 2019), and any cross-border data flows between the EU and the UK may no longer carry automatic adequate safeguards. The UK government’s view is that an ‘adequacy decision’ should be easy to achieve as the GDPR is being brought into UK law and the UK has a long tradition in data privacy. However, there are legal and political challenges that could stand in the way of an adequacy decision:
- The EU is obliged to scrutinise the UK’s legal regime, including human rights and powers of surveillance. A specific challenge will be the UK’s controversial Investigatory Powers Act.
- The UK has said it will not incorporate the Charter of Fundamental Rights of the EU. Articles 7 and 8 enshrine fundamental privacy rights and data protection rights.
- Post-Brexit decisions by the Court of Justice of the European Union will no longer have legal effect in the UK.
If an adequacy decision is not forthcoming, the UK may seek a bilateral agreement similar to the EU-US Privacy Shield. Other options for organisations under the GDPR include using binding corporate rules or contractual clauses, which would add complexity and cost to data transfers.
UK organisations with an EU presence need to carefully consider the Brexit implications and whether their current data transfer practices will continue to be justified under the Regulation.
Get ready for the GDPR
Book a GDPR Gap Analysis and one of our experienced data protection consultants will assess your compliance level, and advise on what to do to become GPDR compliant. The gap analysis can be booked at a fixed price of £3,750.00 if you fit our prerequisites, meaning no nasty surprises.
Don’t miss our live GDPR Q&A on Valentine’s Day (Wednesday 14 February 2018) at 3:00 pm. IT Governance’s founder and GDPR expert: Alan Calder, will be answering your GDPR related queries via Twitter. Join the discussion and tweet your thoughts using hashtag #GDPRJoinTheDiscussion.