Brexit data protection decision uncertainty threatens UK-EU data flows

A no-deal Brexit scenario seems likely, and CISOs will need to adapt policies and procedures if the EU does not declare data protection adequacy for the UK.

As the COVID-19 crisis begins to ease, the UK can return its focus to negotiating a Brexit deal to leave the European Union before its crashes out at the end of the year. With little sign of any permanent agreements being made, UK organizations with operations in the EU need to prepare to operate under a new set of data protection rules.

Under the Withdrawal Agreement, the transition period runs to December 31, 2020. Until then the requirements around data protection remain the same as before: Data flows between the UK and the EU can continue unhindered, and firms continue to comply with local data protection requirements.

A study by UCL found that around 75% of the UK’s international data flows are with the EU and concluded that disruption to that would be “extremely damaging” for UK businesses. If the UK leaves under a no-deal scenario without a data protection deal or decision that UK provides adequate data protections, it will become a “third country” and data flows will no longer be allowed without additional legal instruments such as standard contractual clauses (SCCs).

“The UK-EU trade talks have been characterised by a desire to seem willing to walk away without a deal, but it’s difficult to know how far that reflects reality, and how far it’s just a negotiating tactic,” says Camilla Winlo, director of consultancy at privacy and data protection consultancy DQM GRC. “Whilst it’s impossible to know how much of this is real and how much is bluster, it is very far from certain that the UK will leave the EU with a trade deal that covers digital trade and data protection.”

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022