The UK has left the European Union (EU) and an interim agreement regarding data protection has been agreed upon. As a result, data flows between the UK and EU can continue freely as they did before, and organisations can operate as normal for a period.However, the agreement between the UK and EU has a limited shelf life and it\u2019s not clear what could happen afterwards, leaving UK firms in a potential state of flux over how to properly prepare for the long term.What does the Trade and Cooperation Agreement mean for data protection?The Trade and Cooperation Agreement (TCA) between the UK and EU states that the UK shall not be treated as a third country for an interim \u201cbridging\u201d period of four months starting from January 1, 2021, and will be automatically extended to six months unless either the UK or the EU unilaterally objects.During the interim period UK companies can continue to send data to and from the EU without additional measures in place. The UK will not change existing data protection laws during this time. During this period, the European Commission will decide whether it views the UK as \u201cessentially equivalent\u201d on issues such as data protection as the EU and therefore whether data flows can continue without restriction. However, an adequacy decision is not guaranteed, and more restrictions may come into force later in the year.\u201cIn a nutshell, this means that any UK company holding EU citizen data must ensure it is protected and stored correctly to EU Standards in order to comply,\u201d says Gareth Williams, vice president for secure communications and information systems at Thales UK. \u201cTo do this, CISOs should first prioritise investment in encryption to protect the data at rest and in transit. Not only that, but the control over the data must reside within the EEA itself, as the EU dictates.\u201dThe temporary nature of the deal means UK CISOs and data protection officers (DPOs) are in a precarious position going forward. Putting in legal mechanisms to ensure data flows are compliant in the event the UK isn\u2019t granted adequacy is expensive and time consuming and may not be needed, yet failure to make any preparations could lead to large fines further down the road if those preparations aren\u2019t made and a decision isn\u2019t granted.\u201cMoving to standard contractual clauses (SCCs) is a good precautionary measure for some organisations\u201d says Jimmy Desai, GDPR and commercial solicitor at Keystone Law, \u201calthough for some organisations this may involve an extensive exercise, which may prove to be wasted time, cost, and effort if the UK is ultimately assessed as adequate.\u201dWhile UK firms are free to continue receiving data from the EU freely during the interim period, the ICO has said UK companies receiving data from the EU should put alternative transfer mechanisms in place \u201cas a sensible precaution\u201d to safeguard against any potential interruptions in the future.Which data laws still apply in the UK post-Brexit?While the EU\u2019s GDPR will no longer apply to UK citizen data, the UK\u2019s Data Protection Act 2018 is still in force, as is the UK\u2019s own version of GDPR. As such, UK firms will need to ensure they are protecting personal data collected in the UK, respecting privacy, gaining consent, and processing personal data carefully. EU citizen data gathered and housed in the UK is still subject to the EU\u2019s GDPR requirements should be protected as such. Companies that are classed as critical national infrastructure are also subject to the NIS Regulation.The Privacy and Electronic Communications Regulations\u2014the UK\u2019s implementation of the EU e-Privacy Directive\u2014will also still apply. As such, very little will change in terms of day-to-day data protection requirements, and UK firms will need to ensure they are compliant with almost all the same data protection requirements for UK data as they were in 2020. The EU\u2019s eIDAS regulation will no longer apply, but the UK Government is reportedly looking to bring eIDAS or something very close to it into UK law very soon.These rules may change in the future. The UK has said it plans to retain a strong data protection regime after it leaves the EU but has also have it may well diverge from the current EU positions on certain aspects. CISOs, DPOs and organisations\u2019 legal teams will have to stay alert for any changes.Sending data from the EU to the UKWith the interim agreement in place, UK organisations can receive EU citizen data in the same manner as they did during Union membership or during the transition period. However, CISOs and DPOs will need to be alert to news coming from the ICO and the EU on what happens after that interim period ends.If the EU rules the UK is adequate or there is a further nothing will need to change. If a permanent data protection deal or adequacy decision isn\u2019t struck by the end of the interim period, the UK will be classed as a \u201cthird country\u201d by the EU. This means UK organisations cannot receive EU citizen data in the same manner as they did during Union membership or during the transition period.Firms receiving EU citizen data should ensure they have the right legal mechanisms in place to ensure compliance with the EU\u2019s GDPR. The most straightforward route is through SCCs, which are templated agreements between the parties sending and receiving the data. Under SCCs, EU citizen data should expect the same level of protection as it would receive from a company directly under the purview of the GDPR. An SCC is required for each individual data flow.Binding corporate rules (BCRs) are more flexible than SCCs but are a lengthy and costly route that requires direct involvement from data protection authorities in the EU. BCRs will likely only be appealing and feasible to large enterprises with a large footprint across the UK and EU. Some companies may wish to reassess their data flows and reduce the amount of data they send to the UK or move their headquarters\/data processing from the UK to the mainland to avoid some of the legal hurdles.\u201cOrganisations should focus on understanding their data flows, assessing the risk associated with them and implementing safeguards, like pseudonymisation, to manage that risk,\u201d says Marcus Grazette, Europe policy lead at Privitar. \u201cBecause the GDPR has been retained in UK law, practitioners (DPOs, CISOs etc.) should not see any immediate change whether we\u2019re in a deal or a no deal scenario.\u201dUK firms receiving EU citizen data should also ensure they have a representative in the EU as required under the GDPR to deal with data protection authorities.A permanent trade deal or adequacy decision may be made later which would remove some of these requirements, but whether that might happen is unclear.Sending data from the UK to the EUData flows from the UK into Europe will remain unaffected. The UK has deemed the EU\u2019s data protection regime as adequate and companies will still be able to send data without interruption. EU firms will have to appoint a UK representative to deal with the ICO as required.\u201cMuch as the EU GDPR is extraterritorial, the UK version will be as well,\u201d says Steve\u00a0Kuncewicz, data protection and privacy law expert at law firm BLM. \u201cGiven that both regimes share a common approach, we\u2019ll likely see a growth in the appointment of \u2018UK Representatives\u2019 and the revisiting of contracts and policies to refer to the new legislation. Again, adequacy seems a long way off for the time being, but there\u2019s a lot that businesses can be doing to fill that gap.\u201dSending data from the UK to the USAfter the fall of Privacy Shield, companies sending data from the UK to the US should, as is the case with data coming from Europe, be relying on the likes of SCCs and BCRS as legal transfer mechanisms for data. Data sent to the US should have a similar level of data protection as it would receive in the UK. US firms receiving UK citizen data will need to appoint a UK representative under the UK GDPR as they do in Europe under the EU GDPR to deal with data protection authorities.Kuncewicz says that while the Shrems II case ensures SCCs to the US remain in place, there is a greater focus on the exporter to map data flows and identifying the additional safeguard upon which they\u2019ll rely upon to ensure the data is adequately protected. A new Privacy-Shield arrangement may be agreed in the future, but it is unclear when this might be.Sending data from the US to the UKData flows from the US into the UK remain unaffected.Existing adequacy decisionsThe UK intends to conduct its own adequacy decisions in future, but will continue to honour EU adequacy decisions with the following countries:AndorraArgentinaGuernseyIsle of ManIsraelJerseyNew ZealandSwitzerlandUruguayJapanCanada has a partial adequacy decision. Sending data to countries not covered by an adequacy decision should be protected through SSCs, BRCs, or similar legal mechanism to ensure adequate data protection is enforced. The IAPP has published a Brexit privacy checklist which will help organisations understand key tasks and checks they should make to ensure compliance with UK and EU requirements.