Post Brexit there was a six-month grace period during which transfers of personal data were permitted to continue without restriction.
On the 19th February, the EU Commission published two draft adequacy decisions concluding that the level of protection for personal data in the UK is equivalent to that in the EU.
This is good news for the many Irish companies who regularly transfer data to the UK for processing, either by third party service providers or by group companies.
There are still some steps to complete before the draft decisions are finalised. Specifically, an advisory opinion on the draft decisions must be obtained from the European Data Protection Board (EDPD) and a qualified majority approval is required from the EU member states. Based on past adequacy decisions and the importance of the subject, it is generally expected that these hurdles will be dealt with before the grace period expires on 30th June of this year.
Irish companies will still need to be mindful of any transfers of their data for processing outside of the EU or UK, including any onward transfer by a UK processor. Where this is the case, full transfer impact assessments are still necessary with appropriate safeguarding measures implemented and evidenced.
February 2021To discuss any of your Governance needs call Governance Matters on +353 (0)87 6408750 or email your query to email@example.com