GDPR: Brexit still does a lot of work

May 25 marks the entry into force of the European General Data Protection Regulation. On this occasion, Ms. Angela Leachman, Team Leader of Data Protection Advisory Services, TÜV SÜD, took a look at the biggest question mark currently in regards to data protection and the GDPR: the effects of Brexit.

It’s now three years since the General Data Protection Regulation (GDPR) finally came into effect across the European Union on May 25. This date was preceded by a two-year transition period to facilitate companies’ readiness. The European General Data Protection Regulation regulates the handling and storage of personal data within the European Union. Brexit poses new challenges in this context.

Currently there is a transition period for the UK in terms of data protection law until the end of June 2021. This means that the UK will not be seen as an insecure third country under the GDPR during this period. A potential adequacy decision could be issued by the European Union Commission during this transition period. A draft for this has been available since February 2021. With Adequacy made, a legal basis for data transfer to the UK will continue to exist from July 2021. Otherwise, the same conditions apply to the UK from the end of the transition period as is the case for other insecure third countries, For example B. to the United States or China.

That could mean another massive effort for some companies, depending on the flow of data to the UK. The companies will then have to verify all data streams and be able to provide a legal basis for every data transfer that will allow the data transfer to the UK. Possible legal bases here could be, for example, standard data protection clauses, perhaps in relation to additional technical, regulatory or legal measures, or so-called binding company rules, which are legally binding within a group of companies.

The Brexit example shows that data protection is not a complete project, but a process that requires constant attention and specialist knowledge. Companies that cannot rely on their experts can find support from independent data protection experts. These support you in meeting statutory requirements and complying with the law.