After a period of uncertainty for the UK before it left the European Union in late 2020, the ICO last week gave an insight into the short-term data flows between the EU and the UK.
Pending the adoption of adequacy decisions that enable GDPR-compliant transfers of personal data between the EU and the UK, the contract agreed with the EU will allow the free flow of personal data from the EU (and the EEA) to the UK at short notice. This will not take more than six months. Likewise, the UK has temporarily determined that the EU and EEA are adequate for the purposes of data flow out of the UK.
The ICO has recommended that UK companies that work with EU and EEA organizations in a manner that includes the transfer of personal data set up alternative transfer mechanisms in order to avoid disrupting the flow of data should their position change after this interim period.
For the majority of small or medium-sized organizations, the easiest and most effective way to put adequate safeguards in place and ensure compliance is to include Standard Contractual Clauses (“SCCs”) in the contract between the UK and EU / EEA organizations. It is recommended that larger organizations review existing contracts and processes to ensure that UK-EU transfers are appropriately classified as “international” transfers, at least until an adequacy decision is made.
These ICO guidelines fit in with the general position that the UK will continue to operate in a similar manner in the short term from a data protection perspective. The Data Protection Act 2018 continues to set the framework for data protection law in the UK. It now sits alongside the UK GDPR (UK version) and what is known as the “Frozen GDPR” (EU version). With the EU law (right of withdrawal) of 2018, the GDPR was incorporated into British law, which was amended by the provisions on data protection, data protection and electronic communication (amendments, etc.) (EU exit) 2019, SI 2019/419 with the United Kingdom has been renamed “GDPR” The GDPR sits next to the 2018 Data Protection Authority. However, changes made by the EU to the GDPR will not automatically be carried over to the United Kingdom, with the UK GDPR and the 2018 Data Protection Act now the main reference points for are the future.
We examined some of the key considerations in our pre-Brexit paper. Will the UK be “fair” in 2021? : Clyde & Co and we will watch how the position develops.
As a sensible precaution, before and during this period, the ICO recommends that companies work with EU and EEA organizations that transfer personal data to them, establish alternative transfer mechanisms to prevent disruption of the free EU movement to the UK personal data.
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/ico-statement-in-response-to-uk-governments-announcement-on- the extended period for personal data flows that allows time to complete the adequacy process /