Decorative image of UK and EU flags

Share This Post

On the 28th June, the EU Commission adopted an adequacy decision for the UK. The adequacy decision means the free flow of data from the EU to UK. This means that data can now freely, without speculation about use of Standard Contract Clauses, etc., move from the EU to the UK on the basis that the UK has essentially equivalent data protection (i.e. UK GDPR and Data Protection Act 2018).

However, with speculation about divergence from GDPR being touted by the Prime Minister’s advisors’ report recently, and comments from UK government about wanting to boost the data economy – both of which sounded alarm bells for the EU, there is a four year sunset clause in the decisions which will mean they will need to be reviewed again, plus in the past the EU has made it clear they could pull them at any time if the UK diverged too much.

On this matter (which incidentally, I don’t think will mean the loss of GDPR as a concept, maybe by name) the EU Vice President for Values and Transparency said

“[We] have listened very carefully to the concerns expressed by the [EU] Parliament, the Member States and the European Data Protection Board, in particular on the possibility of future divergences from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene”

So what does this mean to UK businesses? Essentially, if you process data (as a Data Processor) on behalf of EU customers then your EU customers don’t need to find an appropriate safeguard for the data transfer to be lawful (e.g. you don’t need to worry about signing Standard Contractual Clauses (SCC)). But remember, “processing” has a wide definition so you will still need to consider whether you are a processor (e.g. even if you’re only hosting data) and still need to consider the implications of using non-UK and non-EEA sub-processors.

The GDPR adequacy decision can be found here: https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy