With all that has happened this year, most of us can’t wait until 2020 is in the rear view mirror. The end of 2020, however, marks the end of the transition period provided, post-Brexit, to allow time for UK businesses and organizations that rely on international data flows, target European customers or operate inside the EEA, to negotiate a new data protection relationship with the EU.
According to the UK Information Commissioner’s Office (ICO), after the transition period, the “UK GDPR” will take effect, with the same key principles, rights and obligations as the GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
Understanding your international flows and cross-border processing of personal data, and specifically, transfers from the EEA to the UK, is critical to assessing what steps may need to be taken, presumably prior to the end of the transition period, to continue to lawfully receive these transfers. A determination will need to be made whether a new data protection relationship needs to be established, considering the use of standard contractual clauses, binding corporate rules, and the guidance provided by the UK ICO, European Data Protection Board, and the European Commission.
The current guidance, while certainly well-intentioned, is murky at best, leaving many open questions about what may be required. So, as the anxiously awaited end of 2020 approaches, keep an eye on those relationships and how to make them work.