At the date of updating this document, 24th June 2021, a final decision by the EU on UK ‘Adequacy’ status has not been reached. The current agreement reached under Brexit for data transfers runs out with the EU on the 30th of June. This means that you must plan for the worst scenario of ‘non-adequate’ status when transferring personal data in from Europe and for all transfers to any other country, except for a very limited list of countries who are adequate.
The list of countries deemed to have adequate personal data protection includes:
- Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Two other countries are deemed to have partial adequacy:
- Japan and Canada.
On the 4th June the EU released their new Standard Contractual Clauses (SCC) for compliant cross border transfer of data under GDPR. We are still waiting to see if the ICO will update their SCC’s. We are using the current SCC’s from the ICO for all new agents abroad. The ICO has stated that they will update the UK ones later this year.
All companies will have approximately 18 months to transition to the new SCC’s. This is likely to remain the same if the UK gets an ‘adequate’ ruling. This means that from 27th September 2021 all new data transfers must use the new SCC’s in order to be GDPR compliant. All existing SCC’s must be replaced by 27th December 2022.
There are practical updates to the SCC’s which include the following:
- four different modules to cover controller-controller, controller-processor, processor-processor and processor-controller
- where the SCC’s are used from a company subject to GDPR to a processor or sub processor it will no longer be necessary to enter into a separate agreement
- multiple controllers and processors may sign the same SCC’s
- a clause can be added allowing new signatories to be added after the initial adoption of an SCC
So as far as your Company is concerned you need to carry out the following tasks when sharing data outside of the EU:
- Implement new SCC’s on all new data transfers abroad.
- Create a rolling program to replace all existing data sharing agreements.
- Ensure all staff involved with setting up new contacts overseas are aware of new documents and how to use them.
When we are sharing personal data in the EU we have two areas that may need to be covered:
- If sharing data with another member of your group of companies then you would need to liaise with them to use Binding Corporate Rules.
- If sharing with another EU company, then you would need to utilise the EU SCC’s
This is all going to change before the end of 2021 in that the ICO will be publishing new UK SCC’s which will have to be adopted by your Company going forward.