If your business needs to manage data post-Brexit, there is some good news. The EU-UK Trade and Co-operation Agreement grants a six-month reprieve to businesses which transfer personal data to and from the EEA.
The Agreement permits the continued free-flow of personal data post-Brexit from the EU to the UK and the UK to the EU for up to six months (i.e. to the end of June 2021). During this period, it is hoped that the EU will grant the UK “adequacy” status. This would mean that the EU considers that the UK’s data protection laws are adequate and broadly in line with the EU GDPR. It is worth noting that securing an adequacy ruling in six months is fairly ambitious, but it is a positive sign of intent.
If an adequacy decision is not made during this period, the UK will be deemed to be a “third country” for the purposes of the EU GDPR and so additional appropriate safeguards will need to be put in place in order to transfer data from the EU to the UK, such as the standard contractual clauses (SCCs). The ICO recommends that businesses which receive a lot of personal data from the EU put in place the SCCs during this six-month period to safeguard against any disruption at the end of this timeframe.
Whilst this is all good news for businesses in the short term, it does not affect whether a business is required to have an EU representative. If you offer goods or services to individuals in the EU or you collect their data, post-Brexit you will eventually need to appoint an EU representative unless you have an office located in the EU.
If you have any questions, please contact Julia Ellis, Emma Carter, or Faye Hickman.