The General Data Protection Regulation (GDPR) was adopted on the 14th of April 2016 and entered into force on the 25th of May 2018. The GDPR allows personal information to flow freely in the European Union (EU) without being subject to any further measures. However, if the United Kingdom (UK) leaves the EU without a specific agreement, this information flow will no longer be possible. Despite the uncertainty surrounding the outcome of Brexit, it is important for data controllers who transfer data between the UK and the EU to know how they will be affected.
Which steps should you take?
The Information Commissioner’s Office (ICO), which is the UK independent regulatory body dealing with data protection, has issued a document with six steps to be followed by data controllers in preparation for Brexit:
- Continue to apply the GDPR rules – most of them will remain the same for the UK after the exit.
- If you transfer data from the EU to the UK, think about the safeguards you can put in place to ensure the flow of data once the UK is no longer part of the EU (e.g. standard contractual clauses, binding corporate rules).
- If you transfer data from the UK to the EU, these transfers will fall under the new provisions for transfer and documentation and will not be restricted.
- Review your organizational structure, processing activities and data flows to determine how Brexit will affect the data protection regimes applicable to you, in particular:
- Would you be subject to UK rules, EU rules or both?
- Which will be your lead Authority?
- Do you need a European Representative?
- Review your documentation and identify if any updates are needed.
- Involve the key people in your organization and make sure they are aware of all the changes.
It is very likely that the UK government will seek an adequacy decision, meaning that the EU will recognize the level of protection of personal data in the UK as equivalent to the one in the EU. However, until this decision is in place organizations are encouraged to take the steps above and determine the most appropriate transfer mechanisms.
Obelis at Your Service
If you wish to know more about the General Data Protection Regulation, please do not hesitate to contact us. Obelis Expert Consultants, having nearly 30 years of experience with EU Regulations, will answer any questions you may have and will gladly assist you in the process of ensuring the compliance of your data processing activities and the appointment of a GDPR Consultant.
Efrosina Zhivkova
Regulatory Department