The Information Commissioner's Office has urged British businesses to put in place alternative transfer mechanisms to ensure the flow of personal data from the EU to the UK even though the EU-UK trade agreement has allowed personal data to flow freely for another six months.
Earlier this month, the UK government released a summary of the trade deal, dubbed the EU-UK Trade and Cooperation Agreement, that it agreed to with the European Union as part of the process of separation of the UK from the union.
Among other things, the deal allows the free flow of personal data from the EU to the UK for no longer than six months or until adequacy decisions are adopted. It also allows the UK to exchange personal data and information with Eurojust (European Union Agency for Criminal Justice Cooperation).
In order to ensure the continuity of strong cooperation between the UK and other EU member states to deter, prevent, and to respond to various crimes, the UK has also signed a new comprehensive security agreement with the EU that enables authorities to exchange national DNA, fingerprint and vehicle registration data via the Prüm system to aid law enforcement agencies in investigating crime and terrorism.
The agreement also allows the fast and effective exchange of criminal records data between UK law enforcement authorities and Europol and Eurojust as well as continued transfers of Passenger Name Record data to protect the public from serious crime and terrorism.
"I’m immensely proud of the comprehensive package of capabilities we’ve agreed with the EU. It means both sides have effective tools to tackle serious crime and terrorism, protecting the public and bringing criminals to justice. But we will also seize this historic opportunity to make the UK safer and more secure through firmer and fairer border controls," said Home Secretary Priti Patel.
Welcoming the free flow of personal data from the EU to the UK, Information Commissioner, Elizabeth Denham said this is the best possible outcome for UK organisations processing personal data from the EU.
"This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices. We will be updating the ICO guidance on our website to reflect the extended provisions and ensure businesses know what happens next. At this stage it’s good news for businesses and public bodies," she added.
However, considering that the free flow of personal data will only take place until adequacy decisions are adopted, the Information Commissioner's Office said businesses should work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.
According to Darren Wray, CTO at data privacy experts Guardum, there are ways British businesses that exchange personal data with their EU counterparts can prepare for the day adequacy decisions are adopted, signaling the end of the free flow of personal data between the two regions. These are:
1. Understand your data flows
Make sure that you know what personal data you are sending, to who, and what country they are based in. This should be something that all organisations have a good understanding of as part of their GDPR compliance, but things change, so now is a good time to make sure that everything is up to date.
Don't forget to include the companies who host your corporate data, including services such as Office 365 that provide data storage and the processing of email.
2. Understand your client and vendor agreements
Checking through your client and vendor agreements so that they can be amended ahead of time is something that every organisation ought to be doing right now. Unless firms have paid attention to this particular area in the past then there is likely to be at least some work to be done.
3. Ensure the protection of your unstructured data
One of the things that are going to change is that, whereas before a company based in the EU could encrypt a document and send it to its UK partner for processing, in future, they are likely to need to redact or remove the personal information in any documents. So before they are sent back and forth, they should use automated redaction software to minimize the risks and the workload of this process.