The UK has applied for an adequacy assessment from the EU. If granted in full UK businesses will be able to continue to exchange data with the EU without taking extra steps beyond complying with UK data protection rules.
However, if it is not granted the UK will need to exchange data with the EU on third country terms. Under the rules set out in current UK rules companies which wish to transfer personal data to the UK from the EU will need to ensure ‘appropriate safeguards’ are put in place to provide assurances that these transfers meet data protection standards.
As a result, UK businesses which receive data from the EEA and wish to enter into business that requires exchanges of data with companies based in the EEA will need to review their business contracts to ensure that the recognised ‘appropriate safeguards’ are included.
UK companies will therefore need support to check their existing contracts and review new contracts/bids to ensure that these safeguards are included and that they are sufficiently robust to reassure potential business partners that they will not fall foul of data protection authorities. Failure to do so or increase the confidence in these measures from UK companies will mean that UK tech firms will be at a competitive disadvantage to companies based in the EEA.
Organisations within the EU have benefitted from the freedom to transfer personal information across the region for many decades under the EU’s common data protection framework. The free flow of data is a core part of the EU’s digital economy and the basis upon which many companies have built, shaped, grown and expanded their businesses, especially in the sphere of digital technologies.
Personal data is an integral part of any business. It can range from basic information such as individuals’ names and financial information to the more obscure such as habits and preferences. Most businesses will share and flow data across a number of jurisdictions to deliver services, engage partners and meet regulatory requirements. A no-deal Brexit will impact businesses to varying degrees as disruptions to information flows occur; this will be felt across supply chains, particularly where new technologies have increasingly global application.
The ability to rely on the EU data protection framework to facilitate data flows without impediments will cease to exist once the UK is no longer a part of the EU. It’s time to reconsider how organisations can use alternative mechanisms to sustain these cross border data flows. Currently, there are several available such as: adequacy decisions, Standard Contractual Clauses and Binding Corporate Rules. In order to leverage these mechanisms, organisations should have a good understanding of their key personal data flows, especially the prioritised ones (e.g. those that are business critical or relate to special category data) and the suitability of each mechanism is for their organisation.