November 13, 2020

The 13th Annual European GRC and GDPR compliance conference

More than 200 delegates from more than 40 countries attended this whole day seminar. The conference provided an update on a number of relevant compliance and GDPR topics, such as:

  1. Top Operational Responses to GDPR,
  2. Data Privacy and Data Protection,
  3. The Risk Gaps and the Impact Of Digitalization To The Organisation, Employees and the Society,
  4. Minimising Privacy Risk from A Global Data Processor's Perspective,
  5. Post-GDPR Effects and Issues,
  6. The primary corporate concerns of the Brexit for the UK and the EU,
  7. Technology-driven, GRC, Data- Privacy, Protection, IT- and Cybersecurity Execution, and
  8. how to strengthen and automate the organisations GRC and Data Protection Compliance and certification issues from ISO 27701/2

My section was about Brexit, governance, compliance and data protection. Whilst some aspects of governance will not immediately change after the end of the transition period, there will be changes in relation to data protection.  The expiry of the transition period does not mean that the GDPR will become irrelevant. In fact, the rules will be “merged” through a complicated set of regulations following the withdrawal and the Data Protection Act 2018 (DPA 2018). Therefore, the treatment of personal data will still be a very important issue for any business with activity in the UK and EU.

One of the issues which will change from the situation in the transition period is how the flow of data between the UK and EU will be regulated. This is a very practical issue, which businesses in the UK should prepare for.

In relation to personal data flowing from the UK to the EU the withdrawal legislation does not put in place restrictions for such flow. The EU is viewed as offering the same level of protection the UK.

The position is different when it comes to the flow of personal data from the EU to the UK. After the expiry of the Transition Period, the UK will become a “third country”, and that, as a starting point, could make the flow of data from the EU to the UK difficult.  This could be cured if the EU made an adequacy decision about the UK Data Protection rules, or if the UK and EU agreed a Free Trade Agreement, where Data Protection is dealt with.

As this is not certain to take place before the end of 2020, businesses must prepare for the eventuality that it does not happen. To secure a continued flow of personal data from the EU to the UK, UK businesses must ensure that such dataflow can continue. This could involve making sure that the contracts under which the personal data is obtained allow for such a transfer. There are standard clauses, which can be inserted in the contracts to ensure such transfer.  For dataflow within groups binding corporate rules may also be an option.

Therefore, businesses should as preparation assess, where they receive personal data from, and how that will be affected by the expiry of the transition period.

Share on: