The UK Government is not budging on its commitment to leave the EU by 31 December 2020. So businesses have to plan for what that means for their obligations under GDPR and Data Protection Act 2018.

Here is a simplified explanation provided by the DPO Centre. It does contain some terminology specific to data protection.

EU to the UK: If the UK is not be deemed adequate, organisations will not be able to receive personal data from the EU without a suitable safeguard in place. It is imperative that you understand exactly how data flows to and from your organisation and plan for implementing a suitable safeguard prior to the end of the transition period.

UK to the EU: This is likely to be a more straightforward affair as the current transfer (i.e. the movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another) of data from the UK to the EU will stay as it is. The UK declared that the EU will effectively be “adequate” for such purposes and data flows will continue uninterrupted, providing they comply with all applicable regulations. As there may be a divergence between UK and Member State laws, it’s sensible to keep an eye on how the legal sands shift over time and be ready to make any adjustments required. Clearly detailing each data flow in your RoPA (Record of Processing Activities) will assist with this monitoring.

UK to Third Countries: The early signs indicate that simplicity may prevail here too. The UK Government has stated its intention to recognise the jurisdictions considered adequate by the EU Commission as also being adequate to receive data from the UK. Privacy Shield (the certification scheme, currently operational with the US, which places requirements on companies to protect personal data and provide appropriate redress for individuals) will continue in its present form, however US entities receiving such data under this safeguard will need to update their privacy notice (a clear, open and honest explanation of how an organisation processes personal data) accordingly. All indications are that the EU Model Clauses will continue as an effective safeguard for such transfers as well.

The validity of the Model Clauses is due to be assessed by the courts in July 2020, so knowing how any changes to this regime may affect your compliance is essential as we move towards the end of the transition period and into a post-Brexit UK.

Credit to DPO Centre and you can subscribe their newsletter to receive informative updates – I subscribe and happy to recommend to you.