Back to News List


Brexit - latest guidance

January 4th, 2021

Please keep an eye on this page - we will update it as further information becomes available

Brexit - Interim solution for personal data transfers from EU to UK
Interim Agreement

On 24 December 2020, the UK and the EU agreed the terms of a Brexit deal which includes an interim solution to the issue of personal data transfers from the EU to the UK.  This means that there is no need (yet) to put alternative transfer mechanisms (such as SCCs) in place.

The interim solution allows organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to hopefully approve an adequacy decision for the UK.  During the extension period, transfers of personal data from the EU (and the EEA) to the UK will not be considered transfers to a ‘third country’ (provided that the UK’s data protection law remains the same as it is as of 31 December 2020).  However:

  • The initial four-month extension period will end when adequacy is granted, or may be extended by two further months unless the UK or EU objects;
  • If the UK amends its data protection legislation, or exercises certain designated powers without EU agreement during the extension period, the extension period will end.

The Agreement took effect provisionally in EU law on 1 January 2021, pending ratification by the EU Parliament in early 2021. The UK Parliament has ratified the Agreement.

ICO Caution

The ICO has issued a statement on the Agreement. The statement reminds us that adequacy is not guaranteed and therefore:

“As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.” 

Data Transfers From UK To EU

The Agreement does not address transfers of personal data from the UK to the EEA.  These transfers can however continue without safeguards because the UK has already designated EEA member countries as providing an adequate level of protection (of personal data for the purposes of the UK GDPR).  In addition, the UK has adopted the same adequacy decisions as the EU and so transfers can be made from the UK to these ‘adequate’ countries e.g. Japan, without additional safeguards.

Other Brexit Issues

It is important to remember that organisations still need to address other Brexit issues, including privacy notice updates and the appointment of an EU representative where necessary.  Please see the detail below for more information on these issues. 

The BHBIA's guidance for members:
  • See our 'Data Protection Update – Brexit Implications' and 'Brexit Implications - Nominating a Representative'  guides, under 'Guidance Notes' in the Privacy and Data Protection section of the website. These have both now been updated with the latest (January 2021) information.
  • You can also tune into the recording of our 'Brexit and Data Protection Implications' webinarheld on 13 November, to hear the guidance clearly explained by members of the Ethics & Compliance Committee.
Additional Guidance:

If you’re keen to keep up with the latest advice on preparing for the data protection implications of Brexit, you will be interested in the following:

  • EFAMRO's short report: Brexit, Data Protection and Research, What happens on January 1, 2021? provides clear and helpful guidance upon the European data protection Board’s December 2020 recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (currently under consultation).