Despite last week’s deal between the UK and the EU, numerous questions remain regarding data transfers and how this aspect of Brexit will be handled.
Under the European privacy laws, any transfer of personal information outside the EU is prohibited.
Examining the Brexit agreement makes it clear that nothing will change for British companies for the next four months.
Unless one of the sides objects, two more months will be added on top of that.
During the specified period, the EU will gauge the UK’s level of regulatory privacy protection.
Certain companies will need to have data protection safeguards in place, including the standard contractual clauses for every company that handles such data.
According to Sarah Pearce, a cyber security expert, companies that are currently using the UK’s Information Commissioner’s Office as a governing body will be required to update their binding corporate rules.
Scott Pink, an associate at law firm O’Melveny, added that the companies that previously chose a UK-based data representative will need to move them to an EU country.
This is a requirement to do business in the EU.
However, the problem of UK and EU laws diverging implies that in order to keep on top of things, companies will now be required to keep track of two separate privacy regimes.
The good news is that these are expected to be similar in nature, though the UK’s version of GDPR is settled.
According to Jung-Kyu McCann, general counsel for cloud data management platform Druva, increased enforcement is coming, both from the UK and the EU.
Furthermore, McCann advises companies to prepare answers to the UK’s enforcement efforts, whether they apply to their company or not.
Post-Brexit, there will be a new legal reality to prepare for, and Druva is already taking the steps necessary to move in that direction.
McCann is hoping that the EU’s decision will come in early 2021.