The UK is now a third party in respect of data transfers from the EU and is awaiting a formal decision that our data protection regime is “adequate” to protect the data and rights of data subjects in the EU.
The EU agreed a period of grace to the end of April 2021 for data transfers to the UK to continue and committed to work towards an early Adequacy Decision as part of the Trade and Cooperation Agreement with the UK in late December 2020.
In February 2021 a draft Adequacy Decision was published and sent to the European Data Protection Board for consideration. The EDPB has said it is likely to report in April 2021 which means that the earliest the EU can put the Adequacy Decision in place will be towards the end of May. This exceeds the period of grace for unrestricted personal data transfers. There is provision for an extension of time on the free transfer of data for a further two months and this will now be needed.
However, there is concern in the EU that the UK has openly stated that it will be diverging from GDPR in the future. In particular it will be considering Adequacy Decisions of its own to facilitate and smooth trade deals. This may undermine the acceptance of the EU that the UK’s data protection legislation is adequate meaning that the Adequacy Decision is by no means settled and certain.
Once again it is time to prioritise checking that your organisation has appropriate mechanisms in place to protect data transfers from the EU. Identify where those transfers are taking place from the organisation’s Article 30 records and confirm that these are up to date around international transfers. Then follow up any recorded data transfers from the EU to determine whether alternative mechanisms are in place (or can be put in place) to safeguard data transfers from the EU to the UK. Note that the UK government has stated that data transfers from the UK to the EU are lawful although this position could be reviewed.
Mandy P Webster, Data Protection Consultant