Exploring the new data landscape after Brexit

Data flows between the UK, the EU and the wider world are changing as a result of Brexit. Here’s what you need to know.

After adjusting to and coming to terms with GDPR requirements over the last two years, the landscape in data is changing once again.  

GDPR restricts transfers of personal data from the EU to countries outside the EEA (third countries), unless the transfer is covered by an adequacy decision, an appropriate safeguard or an exception. As of 1 January 2021, the UK is considered a third country. 

The European Commission has the power to determine whether a third country has an adequate level of data protection. A cliff-edge has been avoided, though, as the UK’s trade deal with the EU includes a six-month extension to the existing data arrangements, meaning data can flow freely between the UK and EU. This allows time for a decision to be made. 

Brexit Webinar: VAT for imports and exports

This webinar will bring you up to speed on the significant changes to the movement of goods from Great Britain to the EU, how goods are reported, and the conditions for zero-rate goods exports, plus the Northern Ireland protocol.

Register

Adequacy 

As an EU member, the UK was signed up to GDPR and regarded as having sound data protection rules. But, in December 2018, the European Commission warned that if the UK leaves without adequacy being granted, measures will have to be put in place to ensure data can be exported from the EU to the UK. 

Data flows  

For a practice mainly dealing with UK clients, then the changes made to comply with GDPR in 2018 still hold. GDPR (i.e. the EU regulation) was incorporated in the UK’s Data Protection Act 2018, so the same mechanisms regulating data remain. 

If you have clients in the EU, however, be aware that data flowing from the UK to the EU is different to data coming from the other direction. 

The EU has agreed that the status quo with data transfer will apply for six months while it reaches a decision over UK adequacy. If adequacy is refused it would mean inserting Standard Contractual Clauses (SCCs) into contracts with those supplying your data. These clauses must follow wording approved by the European Commission and the ICO provides template contracts you can use.  

It’s not just Europe 

If you have data flows between the US and the UK, you also need to be aware of this. Prior to Brexit, companies could send data to the US because the EU and the US had an agreement. The UK is no longer part of that agreement, but the World Trade Organisation has said that the UK has always been on top of data protection. Rather than leave the UK in limbo, it has asked US companies to amend their policies – from “data flow to and from Europe” to “data flow to and from the UK”. 

The ICO’s six steps to take 

  1. Continue to comply – apply GDPR standards and follow current ICO guidance. 
  1. Look at data flows – identify where you transfer data from the UK to any other country, not just the EU. 
  1. Look at data into the UK – identify where you receive data into the UK from the EEA. Consider GDPR safeguards to ensure data continues to flow. 
  1. If you operate across Europe – review your structure, processing operations and data flows to assess how Brexit will affect data protection. 
  1. Ensure documentation is up to date – review privacy information for compliance. 
  1. Make key employees aware of ongoing issues. 

AAT Comment offers news and opinion on the world of business and finance from the Association of Accounting Technicians.

Related articles