Following on from the UK’s departure from the EU in January 2020 we have been waiting for the EU commission to review the UK’s Data Protection regime and determine whether we provide an equivalent level of protection to our data.
Whilst the UK Government deemed it safe and acceptable for the UK to send data to the EU, no provision was in place to receive data into the UK from the EU. Therefore, an adequacy decision was required to allow a compliant and seamless transfer of data to occur between the two.
On 28th June 2021 the Commission published two adequacy decisions in relation to the UK:
- EU GDPR Transfers
This deems the UK to have adequate protection in place and allows the EU to transfer data into the UK under the EU GDPR. - Law Enforcement Directive (LED) Transfers
This deems the UK to have adequate protection in place for data to be transferred from the EU into the UK for the purposes of prevention, investigation, detection and/or prosecution of criminal offences.
What does this mean for me?
The adequacy decisions granted are likely to be in place until June 2025 therefore the first step you should take is to document all of your data transfers and identify those that are international (i.e. outside of the UK).
If the data is travelling between the UK and EEA no further action is required – these transfers are covered by the Commissions adequacy decision. The EEA consists of the EU states plus the EFTA States.
If the data is transferred to a country outside of the EEA separate arrangements should already be in place under the UK GDPR to allow for these restricted transfers to occur. These include:
- Adequacy decisions applied by the Commission and adopted by the UK
- A legal agreement between public authorities
- Binding Corporate Rules – used by multinational corporations for international transfers
- Standard Contractual Clauses – clauses issued by the EU that can be added to contracts but cannot be altered.
- Compliance/registration to an approved code of conduct
- Approved certification scheme
- Authorisation from the ICO
- Administrative agreements between public authorities
Once all transfers have the appropriate safeguards applied all policies, privacy notices and documentation should be updated.
For further advice and guidance, or to see how we can help you ensure compliance to data protection regulations please contact us.