Data flows: guidance for business

Following the UK-EU Trade and Cooperation Agreement (TCA) which came into effect on 1 January 2021, the European Commission has now ratified a UK-EU data adequacy decision, deeming that the UK provides a level of personal data protection that is ‘essentially equivalent’ to that provided under EU law and allowing the transfer of personal data between the UK and EU to continue. For more information on using personal data in your business see the government guidance here.

The free flow of data underpins the modern economy and is essential to businesses in every sector, from automotive to logistics. Receiving data adequacy was a priority for businesses, and the decision is a testament to the UK’s commitment to high data protection standards. Read the CBI’s comment here.

The guidance on this page represents the information currently available from government. The CBI will update this page as new information is released.

Key challenges for business

What does the UK-EU TCA mean for GDPR?

The government has incorporated GDPR into UK law (‘UK GDPR’). Businesses must continue to comply and should follow current guidance on complying with GDPR from the Information Commissioner’s Office (ICO). References to EU law and terminology in businesses’ documentation should have been identified and updated to reflect UK terminology upon exit.

What happens now the Commission has made an adequacy assessment?

Now the decision has been ratified, firms can continue sending and receiving personal data to the EU like they were previously, without additional safeguards. The European Commission will continue to monitor the UK’s data protection rules, and the adequacy decision will be reviewed every four years.

How does the UK-EU TCA impact how businesses interact with EU authorities?

Businesses no longer benefit from one-stop-shop, which allowed them to interact with a single supervisory authority. This means that if the ICO is currently a business’ lead data protection regulatory authority but it has offices, branches, or other subsidiaries in the EU, it might need to deal with other European supervisory authorities after the end of the transition period.

If a business is based solely in the UK but offers goods or services to EU citizens or monitors their behaviour, it may need to appoint a suitable representative in Europe. They will act as the firm’s local representative with individuals and data protection authorities in the EU.

What will happen to personal data transfers between the UK and non-EU countries?

For countries with adequacy: The EU has granted adequacy to twelve other countries, all of which have said they will continue to allow uninterrupted data transfers with the UK. Further information can be found on the ICO’s website.

Having left the EU, the UK will have its own adequacy regime. The government has now announced its priority countries for receiving data adequacy, as well as its general approach to international data transfers.

For countries without adequacy: Standard contractual clauses (SCCs) are the most common safeguard to keep personal data flowing between countries which do not have an adequacy decision. They are standard sets of terms and conditions which the sender and receiver of personal data insert into contracts. Organisations subject to UK GDPR should continue to use existing EU SCCs for data transfers to third countries. Further guidance from the ICO is available here.

Businesses should however note that the EU recently released new SCCs following the Schrems II court ruling – but these will not apply to transfers of personal data from organisations which are subject to UK GDPR. The ICO has also consulted on its own version of SCCs for use under UK GDPR – known as an International Data Transfer Agreement (IDTA). These will replace current SCCs.

The IDTA has now been laid before the public and will come into effect on 21 March 2022.