What has happened to GDPR in Brexit?
First point- GDPR has not gone away. It still applies to all organisations based in the UK. It is now governed by UK GDPR rather than the EU GDPR as before.
- You can transfer personal data to the EU/EEA as before Brexit. (For the uninitiated EEA = EU plus Iceland, Norway, and Liechtenstein).
- However, for the transfer the other way EU/EEA it is more complicated. The EU-UK Trade and Cooperation Agreement signed at the death has created a ‘Bridge’ to allow ‘the continued free flow of personal data from the EU/EAA to the UK’ for up to six months.
So, what happens after six months?
To freely transfer data from the EU to a country outside the EU the country has to be considered to have Adequate provisions in place for the safety of private data. The EU has yet to rule on this. Whilst it should be expected to be no problem as we have just left the EU this cannot be assumed as being automatic as there are potential issues.
Some countries such as New Zealand, Canada and Switzerland have the benefit of their systems being deemed Adequate by the EU and data can flow freely between them and the EU. It is expected that UK will join this category but there is no guarantee this will have been approved by the end of the six months period.
The Information Commissioners Office advises businesses to make alternative arrangements for the end of the six-month period which is not an optimistic sign.
If the six-month period ends and the UK has not been deemed Adequate, then it will become a Third Country for GDPR purposes.
Then data can only be transferred to the UK if Standard Contractual Clauses (SCCs) are in place setting out the obligations of each party to ensure the proper protection of the data.
Businesses are also required to have a representative in the EU in these circumstances and to amend their policies to cover the new situation.
So get prepared.