GDPR – The Draft Data Decision
by Johnny Tremlett
For as long as Brexit has been part of our everyday language, almost all the focus has been on what the UK’s departure from the EU will mean for the future movement of goods, people and services. However, due to the sheer size of the UK-EU relationship, many of the smaller, less glamorous issues can fall outside of the media spotlight, though this does not diminish their importance or influence on future UK-EU relations. One such area is data protection.
Living in a digital age, data is undoubtedly king. It is also an issue that could have caused seismic change to the everyday lives of people, businesses and organisations that frequently interact with their EU-based counterparts. While still an EU member, the UK contributed to the creation of the General Data Protection Regulation (GDPR), the strongest and most comprehensive data protection regulation in the world. This was then implemented into domestic law and all UK-based individuals, organisations and businesses and those they transfer data to and from, had to adhere to this regulation.
The Brexit Impact
With the UK’s decision to leave the EU came the issue of regulatory divergence and separation. Much of the UK’s regulations across a range of areas such as health and safety, product standards, chemical safety, food and plant safety and data protection originated from EU Directives. This meant that, when the transition period ended, the UK government was no longer obliged to meet these standards, which has meant difficulty in the movement of goods and the introduction of customs procedures.
The transfer of data does not require customs procedures though. Instead, the impact of Brexit on data protection concerns the safety and security of the data movement. Although the UK’s existing GDPR legislation is sourced directly from the EU equivalent, the European Commission did not recognise it to be of an equivalent standard, or ‘adequate’.
As with many regulatory areas post-Brexit, there was a grace period implemented that ensured data could continue to be transferred between the UK and the EU. The grace period on data protection is to end on 30th June 2021. Without an adequacy decision, data transfers would still be possible, however this could only happen where the necessary legal protections were in place. This would be a time-consuming and costly exercise and would ultimately disrupt operations for businesses and organisations throughout the UK and the EU.
Reassuringly, this looks set to be avoided with the European Commission announcing a draft data adequacy has been completed.
The Draft Decision
The European Commission publishing their decision in late February, stating that data can continue to flow between the UK and the EU from the end of the grace period. By announcing their intention to grant an adequacy decision, the European Commission provided a major boost to industries heavily reliant on data and its transfer, including the healthcare, financial services, insurance and technology industries.
There is still some way to go before the data adequacy decision is rubber-stamped. It is important to remember that the published decision is only at a draft stage and will be scrutinised by the European Data Protection Board. Any data adequacy decision will also be subject to checks every four years, to ensure it still meets the required standard for an adequacy decision.
Impact on Your Business
The decision of the European Commission means that many businesses across the UK will not need to begin preparations to adapt to a new area of regulatory divergence and ensures general continuity of the current system for many. However, it is important to note that businesses and organisations must still take the required steps to adhere to GDPR regulations and ensure their compliance to the necessary standards.