Our Group’s Position on Data
The Government has now announced that the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, for no more than six months. This will enable businesses across all sectors, including ours, to continue to freely receive data from the EU (and EEA).
However, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data. As previously announced, the UK has, on a transitional basis, deemed the EU and EEA EFTA States to be adequate to allow for data flows from the UK.
The UK has granted the EU Adequacy, this means that the UK will be able to process/share data within and via the EEA. However, this only permits one-way transmission and processing. Without a positive permanent adequacy decision, EEA countries will not be able to process, return or transmit data through the UK (third country) under GDPR without additional measures once the transitional period has ended.
Our Suppliers and Data
Our agreements largely contain clauses which permit data transfer outside of the UK within the EEA. We are undergoing an exercise presently with our supply chain to ascertain the extent to which any of those suppliers do actually transfer data outside of the UK. This is part of our existing data mapping exercise to identify which countries information is flowing through.
Once we have this information, we will work with the suppliers concerned to ensure that appropriate Standard Contractual Clauses and Data Sharing Agreements (external and within our Group) are in place along with additional security measures.
If you do have any questions arising out of Brexit and concerning yours or your clients’ data, please forward those to Group Compliance Team and we will be happy to discuss further with you.