The free flow of data underpins the modern economy and is essential to businesses in every sector, from automotive to logistics. The impact of the end of the UK's post-Brexit transition period on data flows could be disruptive if the UK does not receive an adequate decision from the EU. Preparation must be on every business’ radar.
The guidance on this page represents the information currently available from government. The CBI will update this page as new information is released.
Key challenges for business
How will data transfers between the UK and EU change when the transition period ends?
In the event of a non-negotiated exit, the UK has confirmed it will continue to recognise EU standards of personal data post-Brexit. It will permit UK businesses to send personal data to the EU and countries with adequacy and partial adequacy agreements (e.g. the US, Japan, and Canada) without any additional requirements.
The EU is endeavouring to make an adequacy decision on the UK by the end of 2020. However, if the transition period ends without an adequacy decision, the EU will treat the UK as a third country – meaning that UK businesses who receive data from Europe will need to implement new safeguards. Businesses should work with their EU supply chain and partners to identify where safeguards may be necessary.
Standard contractual clauses (SCCs) are the most common safeguard – these are standard sets of terms and conditions which the sender and receiver of personal data insert into contracts. Businesses should note the recent ruling by the European Court of Justice that obliges businesses to scrutinise SCCs much more: data exporters and importers will have to verify that the safeguards offered by SCCs can be enforced in practice in the UK as a third country.
The impact on UK/EU data transfers in the event of a deal will depend on whether the UK receives an adequacy decision from the EU.
What will happen to GDPR when the transition period ends?
The government intends to incorporate GDPR into UK law. Businesses must continue to comply and should follow current guidance on complying with GDPR from the Information Commissioner’s Office (ICO). References to EU law and terminology in business’ documentation must be identified and updated to reflect UK terminology post-Brexit.
Will the end of transition impact how businesses interact with EU authorities?
Businesses will no longer benefit from One-Stop-Shop, which allowed them to interact with a single supervisory authority. This means that if the ICO is currently a business’ lead data protection regulatory authority but they have offices, branches, or other subsidiaries in the EU, they might need to deal with other European supervisory authorities after the end of the transition period.
If a business is based solely in the UK but offers goods or services to EU citizens or monitors their behaviour, it may need to appoint a suitable representative in Europe. They will act as the firm’s local representative with individuals and data protection authorities in the EU.