In this article my colleagues, Rohan Massey, Abbey Shaw and I consider the likelihood of an adequacy decision being granted in respect of the UK by the European Commission confirming that the UK's legal framework and data protection regime are "essentially equivalent" to those established by the GDPR and provide adequate protection for individuals' personal data.
If no adequacy decision is granted prior to the end of the transition period - in other words, before 1 January 2021 - organisations transferring, or planning to transfer, personal data from the European Economic Area to the UK will be required to implement suitable cross-border transfer mechanisms to ensure that appropriate safeguards are in place which provide an adequate level of protection for personal data.
We consider various ways in which personal data transferred to the UK can be adequately protected, together with a number of recent European legal developments which may impact upon traditional transfer mechanisms.
The message is clear – in case Brexit reaches an inadequate conclusion, take steps now to avoid your business suffering the same fate!
With Brexit on the horizon, potential changes to data transfer laws raise the spectre of disruption to personal data transfers from the European Economic Area (EEA) to the UK. From 1 January 2021, the UK will be considered a third country outside of the EEA for the purposes of the General Data Protection Regulation (EU) 2016/679 (GDPR). Ahead of this deadline, businesses should start thinking pragmatically about personal data transfers from the EEA to the UK to ensure a frictionless transition in case a European Commission 'adequacy decision' is delayed, or worse, not granted at all.