Loading…

How to manage data transfers from Europe and the United States

Prepare yourself for Brexit - how to ensure continuity of data flows and manage data transfers as we leave the EU (European Union).

As we pass six months of pandemic, 2020 still has some challenges in store for organisations working cross borders. On 31 December we come to the end of the transition phase of Brexit and stand alone; there is much to be done. One item to consider is how we ensure continuity of business and ensure that data flows seamlessly, as it has up to now. 

In 2018, as a member of the EU, we updated our privacy rules through GDPR. As a member state, there were no challenges to transfer data to and from other EU member states.

From 31 December we will face one of two scenarios, the fact we don’t yet know what the UK’s position will be means that UK organisations need to be aware of, and prepared for, both.  

One positive point as we plan for Brexit is that we already have our own UK rules on outward transfers of data. Transfers from the UK to the EU have already been judged to be safe by the UK and UK organisations may continue to send information to EU organisations as they have done up to now. 

About the authors

David Fardell

+44 (0)20 7556 1437
fardelld@buzzacott.co.uk

John Sharples

+44(0)20 7556 1217
sharplesj@buzzacott.co.uk

As we pass six months of pandemic, 2020 still has some challenges in store for organisations working cross borders. On 31 December we come to the end of the transition phase of Brexit and stand alone; there is much to be done. One item to consider is how we ensure continuity of business and ensure that data flows seamlessly, as it has up to now. 

In 2018, as a member of the EU, we updated our privacy rules through GDPR. As a member state, there were no challenges to transfer data to and from other EU member states.

From 31 December we will face one of two scenarios, the fact we don’t yet know what the UK’s position will be means that UK organisations need to be aware of, and prepared for, both.  

One positive point as we plan for Brexit is that we already have our own UK rules on outward transfers of data. Transfers from the UK to the EU have already been judged to be safe by the UK and UK organisations may continue to send information to EU organisations as they have done up to now. 

Preparing for two possible futures

Preparing for two possible futures

What is less clear is the position for EU organisations transferring information to the UK from the EU where the sending organisation is bound by EU GDPR rules. These senders will need to ensure that they do not breach their local rules and rights of EU citizens so careful planning is required to deal with two potential scenario.

  • Scenario one - (and the simplest) is that the UK, as part of the Trade Deal negotiation, is considered an “adequate” country for data transfers. This would mean that business can continue in the same way. There are currently nine territories where there is a full finding of adequacy (some countries that you might expect to see do not have the necessary status). There are partial findings of adequacy about Japan, Canada, and the USA (more later)
  • Scenario two - we do not achieve adequacy by 31 December 2020 and so will be are forced to apply to the EU for adequacy at the end of a long queue of territories ahead of us. This may take a considerable period of time and businesses need to plan for this eventuality.

Contingency planning for scenario two should be in place as soon as possible to ensure that transactions may continue seamlessly. The are alternative solutions to consider will need careful discussion with clients, suppliers, and other companies within a group. Your approach will depend on a number of variables such as the role that you play in information transfers – “controller” or “processor”; the type of information that travels and the type of entity that sends you information. You may need to engage with cloud technology providers who host your data in the EEA. This first immediate step is to review your understanding of your data flows across the organisation. 

Elizabeth Denham, the UK Information Commissioner (and chair of  the Global Privacy Assembly), at a meeting on 30 September would not comment on the state of “adequacy” or the strength of standard contract clauses for international transfers. It appears that we are expected to take a risk based approach and examine each transfer / contract on its own merits. 

A word about the US – we have recently seen challenges to and the demise of both Safe Harbour and Privacy Shield. The current position with the UK regulator is that existing transfers set up to organisations under the old privacy shield scheme may continue but new ones should treat the US as a third country. Transfers to organisations not certified need alternative provisions to protect the rights of UK citizens. 

Data privacy can be complex, and given the current unknowns it would be sensible to prepare for the worst case scenario. We suggest that organisations do the following as a minimum: 

  • Privacy professionals should consult with their board to ensure that business continuity is covered 
  • Boards should consult with their privacy professionals / advisors to review where they are with international transfers
  • Data flow mapping should be reviewed to ensure clarity on international transfers and mechanisms

If you need some help, now is the time to speak to an expert. The Buzzacott privacy team are on hand to assist should you not have internal resource or if you would like more information. Complete the form below and one of our experts will be in touch.

Please complete all required fields above.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
close back
Your search for "..."
did not yield any results.
... results for "..."
Search Tags