International data transfers after Brexit
In June 2021, the European Commission adopted two adequacy decisions for the UK – one under the EU GDPR (General Data Protection Regulation) and the other under the Law Enforcement Directive.
This means that personal data can continue to be transferred from the EEA to the UK without the need for organisations to use SCCs (standard contractual clauses) or another means of ensuring that appropriate safeguards apply, as required by Article 45 of the GDPR.
Under the Commission’s decision, the EU will deem the UK DPA (Data Protection Act) 2018 and UK GDPR adequate for four years, after which the adequacy findings will be renewed only if the UK continues to afford EU residents’ personal data an adequate level of protection in line with the EU GDPR.
If UK data protection law deviates from the EU GDPR to a significant extent during those four years, the Commission has the option to withdraw the decision.
In practical terms, this means you shouldn’t need to worry about processing EU residents’ personal data in the UK if you are compliant with the UK GDPR.
However, the GDPR still requires organisations to implement processes that ensure that third-party data processors can demonstrate compliance with their legal and contractual obligations – wherever they are located.
If you need help with third-party supplier assurance, DQM can run your assurance programme for you.