Data flows: guidance for business

The UK-EU Trade and Cooperation Agreement (TCA) came into effect on 1 January 2021. The free flow of data underpins the modern economy and is essential to businesses in every sector, from automotive to logistics.

Even though the UK and the EU are starting from a period of unprecedented alignment on personal data, a data adequacy decision – which sits outside the TCA – has not yet been made by the EU. If the UK does not a receive a positive adequacy decision, deeming that British law provides a comparable level of personal data protection to European law, data flows between the two partners will be disrupted.

Preparation must remain on businesses’ radar. The guidance on this page represents the information currently available from government. The CBI will update this page as new information is released.

Key challenges for business

What does the UK-EU TCA mean for GDPR?

The government has incorporated GDPR into UK law. Businesses must continue to comply and should follow current guidance on complying with GDPR from the Information Commissioner’s Office (ICO). References to EU law and terminology in business’ documentation must be identified and updated to reflect UK terminology upon exit.

What does the UK-EU TCA say about data flows between the EU and the UK?

Although the adequacy process is separate to the wider UK-EU TCA, the two partners have announced that, for up to six months, the UK will not be considered a third country when it comes to personal data, meaning that it will be able to flow freely between the UK and EU. The UK cannot change its data laws during this time.

The bridging period will provide time to ratify any adequacy decision made by Commission, which must be scrutinised by the European Data Protection Board (EDPB) and European Parliament.

What will happen if the UK does not receive a positive adequacy decision?

If it does not make an adequacy decision, the EU will treat the UK as a third country – meaning that UK businesses who receive personal data from Europe will need to implement new safeguards to keep data flowing. The government therefore recommends that businesses work with their EU supply chain and partners during the bridging period to identify where safeguards may be necessary.

Standard contractual clauses (SCCs) are the most common safeguard – these are standard sets of terms and conditions which the sender and receiver of personal data insert into contracts. Businesses should note the recent ruling by the European Court of Justice that obliges businesses to scrutinise SCCs much more. The European Data Protection Board has produced draft guidance for international data transfers following this ruling.

The UK previously confirmed that it would continue to recognise EU standards of personal data in the event of a non-negotiated exit, permitting UK businesses to send personal data to the EU and countries with adequacy and partial adequacy agreements (e.g. the US, Japan, and Canada) without any additional requirements.

How does the UK-EU TCA impact how businesses interact with EU authorities?

Businesses no longer benefit from one-stop-shop, which allowed them to interact with a single supervisory authority. This means that if the ICO is currently a business’ lead data protection regulatory authority but it has offices, branches, or other subsidiaries in the EU, it might need to deal with other European supervisory authorities after the end of the transition period.

If a business is based solely in the UK but offers goods or services to EU citizens or monitors their behaviour, it may need to appoint a suitable representative in Europe. They will act as the firm’s local representative with individuals and data protection authorities in the EU.

What happens to personal data transfers between the UK and adequate jurisdictions?

The EU has granted adequacy to twelve other countries, all of which (except Andorra) have said they will continue to allow uninterrupted data transfers with the UK. Further information can be found on the ICO’s website.