05 Feb Data Protection Post-Brexit

In many ways, Brexit has become the equivalent of “Can I copy your homework mate?” “Sure mate, just change it a little so no one knows” in the sense of regulation and compliance. Parliament has introduced legislation, the EU (withdrawal) Act along with the EU exit regulations, to essentially keep most of them close to the same as when the United Kingdom fell under the jurisdiction of the EU’s General Data Protection Regulation.

The keyword is “close,” as one could say: close only counts in horseshoes and hand grenades. In gist, the organisations that do business over borders will need to follow two regulatory standards. Fear not as there still is hope. There is a 4-month bridging period with a possibility for extension to 6 months in which the EU commission will assess the UK’s data protection. If found to be sufficient, the transfer of personal data can remain unbothered. If it is not sufficient data flow from the UK to the EEA will not remain the same (this could change) and data from the EEA to the UK will be restricted to the following:

• Codes of Conduct and Certification Mechanisms;
• Binding Corporate Rules;
• Standard Contractual Clauses;
• Explicit consent.

In the case of the businesses operating solely in the UK, data from the EEA will be supervised non-domestically, in the data sources’ member state. There may be exceptions to this, but it may be that a representative will need to be assigned in the EEA.

In any case, as the bridging period passes it is imperative to be ready for any of these scenarios to play out, as the downside case poses a great risk in the form of multiple EEA state fines to UK-based organisations.