Data transfers as the Brexit clock counts down

Many business owners have spoken of their concern for the impact a “no deal” Brexit could have on personal data transfers between the EU and the UK.

However, some experts say that any adverse fallouts can be easily managed by the use of model clauses for data protection agreements.

Should “no deal” occur, UK data protection standards would remain the same, with the Data Protection Act 2018 remaining in place, and the EU Withdrawal Act serving to integrate the General Data Protection Regulation into British law.

As such, data flows from the UK to the EU would stay the same.

The European Commission has put forward a number of “adequacy decisions” to some nations beyond the borders of EU data protection legislation. These decisions allow for the transfer of personal data to those nations from the EU.

Within an adequacy agreement is the understanding that the country outside the EU holds data protection standards that live up to those in Europe. The UK would retain the effect of adequacy decisions of the EU with relation to third-party countries, enabling the data flows to continue from the UK into other nations that achieve adequacy.

In all likelihood, the UK will receive a positive adequacy decision as a result of the Data Protection Act 2018 having the GDPR integrated into it, to serve as law in the UK.

Taking data transfer risk into consideration, bringing in standard contractual clauses into arrangements between the EU data controllers and UK counterparts can help data transfers to remain in place with little or no disruption.

In order to prepare for compliance with the GDPR and the Data Protection Act 2018, organisations should take the following steps:

Ensure privacy policies and procedures are fully updated and compliant with current standards. Policies must detail where personal data is being collected, how it is being processes and where it is stored. The legal basis for the processing must also be clearly established.

Subject Access Requests (SARs) are an essential component of compliance, so proper procedures must be put in place so that SARs are responded to promptly – within 40 calendar days of the SAR being received – and with the correct data in full.

All data processing must be recorded and monitored, not least because compliance with GDPR requires the development of a data map. Using the data map, companies can expedite the identification of data, third-party handlers and controllers in response to an important event, such as a SAR, data leak or an audit.

Annual impact assessments should also be carried out, to prove that the company is always aware of processing activities that may impact upon data subject rights and freedoms.

Finally, GDPR and DPA compliance will rely on education. It is essential that, through sustained training and familiarity initiatives, employees understand their responsibilities regarding personal data and compliance, and understand the potential consequences of not taking data privacy seriously.

The Data Protection Officer should take a leading role in putting together adequate training for key individuals and teams within your organisation.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.