Context
HM Treasury has provided guidance on the action which needs to be taken regarding data protection and data flows with the EU/EEA after the end of the transition period.
Key points to note
- The guidance applies to UK businesses and other organisations which:
- receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU,
- operate in the EEA.
- From 1st January 2021, firms will need to have an alternative transfer mechanism, such as Standard Contractual Clauses (SCCs), in place with EU/EEA counterparts to ensure that they can keep personal data flowing lawfully from them.
- The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1st January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.
- The EU has yet to make a decision as to whether it accepts that the UK’s data protection regime is still adequate.
- Firms should work with EU/EEA organisations which transfer personal data to them to put in place alternative transfer mechanisms. For most organisations, the most relevant of these will be SCCs
- The Information Commissioner’s Office has published guidance to provide more detail which can be found here: https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/
- There are currently no changes to the way in which firms send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU.
- At the end of the transition period, EU data protection law will be converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK.