Brexit brought new rules for international data transfers.

When Britain was part of the EU, and during the transition period, data could move freely between the UK and the EU on the basis of the shared legal framework under the GDPR (General Data Protection Regulation). The ICO (Information Commissioner’s Office) could also coordinate supervision with the other data protection supervisory authorities across Europe.

After Brexit, the EU Commission’s “adequacy decision” secured the flow of personal data from the EU to the UK. That decision is expected to last until 27 June 2025.

There are a number of practical considerations organisations need to take into account when transferring data between the UK and the EU. Discover more about our International Data Transfer Assessment service below.

What will an International Data Transfer Assessment cover?

Our consultants can help with the following:

Map your data flows

It is important to thoroughly map your data flows so you know which countries can access your data. Data flow maps will also help you consider if you have minimised the data you transfer. We can help by reviewing your existing data flow maps or creating new ones.

Appoint an EU/UK representative

If you are a UK-based organisation offering goods or services to individuals in the EU or monitoring their behaviour, and you do not have offices in the EU, you may need to appoint an EU representative and vice versa. We can help you reach the right decision by guiding you through the law.

Re-evaluate your lead supervisory authority

It may be appropriate to identify an EU lead supervisory authority, in addition to the ICO, if you are processing personal data in a way that could substantially affect individuals in the EU. We can help you identify that additional supervisory authority.

Update your paperwork

You should review and update your privacy policies and notices to ensure they accurately reflect and describe the flow of data. You should also update existing contracts and templates, and ensure your ROPAs (records of processing activities) meet the legal requirements of the UK GDPR and EU GDPR. Finally, you should check if you need to update any data protection impact assessments or legitimate interest assessments.

Establish review mechanism

We can help you establish internal mechanisms and processes to keep any decisions on data transfers under review.

What to expect

Your consultant will work with you to schedule interviews with key individuals such as the Head of IT, Privacy Manager, Project Manager and Head of Operations.

These interviews will help your consultant establish whether your organisation is aware of the tasks required and, if so, whether it is on track to complete them.

The interviewees should not need to prepare for the interview, but if your organisation had a Brexit project plan, it would be useful for them to have it available.

Following the interviews, the consultant will produce a report showing clearly what actions are not started, started but at risk, and on track or completed. This will help you identify and fill any gaps in your action plan.

If your objective for this report is to help you start your project, we can also include a summary of the decision and its implications, an explanation of the options available to you and a template action plan.

What comes next?

Your consultant can help you implement the recommendations. Your support plan can be tailored to your requirements.

Example Service 1 - A little help

We can provide you with telephone and email support to answer any questions you may have as you work through your plan.

We typically provide this as pre-paid days, which can be drawn down in 15-minute increments on the basis of the time taken to answer each query.

This is suitable for simple questions with simple answers. If your question is more complex, we will let you know and suggest an approach for us to help you resolve it.

Example Service 2 - A lot of help

In one week, we could:

Review your policies, procedures and risk registers, and highlight areas that need review;
Work with you to identify the most appropriate lead supervisory authority and advise you of any actions you need to take, such as paying a registration fee;
Review your roles and responsibilities, including your DPO (data protection officer) if you have one, and advise you of any training needs resulting from Brexit;
Review your Article 30 ROPA and highlight priority processes for review;
Review your contract library and highlight the contracts that need to be renegotiated; and
Work with your project team to ensure they understand the actions allocated to them and the requirements for completing each task.

Other services of interest:

EU GDPR Representative Service

If you process data belonging to individuals in the EU but do not have an establishment in the EU, you may need to appoint an EU representative. The EU representative acts as a local contact for data subjects and supervisory authorities in relation to all issues arising from the processing of personal data.

Our sister company GRCI Law can act as your EU representative and as your point of contact for EU citizens and EU supervisory authorities.

visit grci law

Privacy as a Service

Our sister company GRCI Law can provide privacy compliance and legal services to support you to comply with your obligations. With Privacy as a Service you:

Achieve GDPR and DPA (Data Protection Act) 2018 compliance quickly, easily and cost-effectively;
Remain one step ahead with affordable advice, guidance, training and support;
Reduce your privacy risks with one simple and affordable subscription service; and
Enjoy peace of mind with your own dedicated, outsourced DPO or data privacy manager.