How to comply with GDPR and keep the data flowing under a no-deal Brexit at the end of 2020

The United Kingdom has crashed out of the European Union without a deal. There is now a transition period until the end of 2020 while the UK and EU negotiate additional arrangements. The current rules on trade, travel, and business for the UK and EU will continue to apply during the transition period. The fears of a hard Brexit will have UK and EU to speed up and implement back-up mechanisms to avoid data transfer breaches.

Most companies took shelter under a deal previously negotiated between the EU and the UK that Britain had two years to finalise a decision that would allow organisations to move data to and from the continent freely. These data transfers would have been possible without breaking the EUGDPR rules and facing stiff fines as a result of non-compliance.

Cost of getting data in and out of the UK

The current situation with heightening fears of Covid19, requires companies to implement back-up mechanisms. The transfer of personal data to the UK has to be based on one of the following instruments: – Standard or ad hoc Data Protection Clauses – Binding Corporate Rules – Codes of Conduct and Certification Mechanisms – or signing contracts that include EU-approved clauses and Derogations that can be used in the absence of Standard Data Protection Clauses or other alternative appropriate safeguards. This solution, however, would also still be subject to some legal uncertainty and perhaps face legal challenges that could invalidate the transfer mechanisms.

Most observers do not expect the EU regulators to be lenient on compliance and will monitor all data transfers to and from the UK. Companies entering into agreements relating to data with vendors in the UK, or vice versa, are taking into account the added resistance and cost of getting data in and out of the UK, post a hard Brexit and finding local partners instead.

Hopefully, in the case of a hard Brexit, the EU may accept in the interim an  “adequacy” decision for the UK and thereby added the UK as a nation to a European whitelist, and the data can flow freely because the privacy laws are accepted as in line with Europe’s.

The long arm of the GDPR

However, if the EU takes a hard approach, the adequacy decision process could take years, even though the UK currently implements the EU’s GDPR rules, because Britain’s data-collection practices as part of its national security regime will likely to come under heavy scrutiny.

Implementing binding corporate rules and standard contractual clauses are probably the simplest way to go, especially for most small and medium-sized enterprises. However, for large organisations, they can be cumbersome and costly to implement, given the short timeframe.