The UK and EU finally came to an agreement on 24 December 2020 and according to this Agreement, until 30 June 2021, any transfer of personal data to the UK will be made under the current framework and will not be considered as a transfer of data to a third country.
However, if at the end of this six-month grace period, an adequacy decision has not been reached, the UK will become a third country in the eyes of the EU. Consequently, all personal data transferred from the EU to the UK will be considered a transfer of personal data to a country not offering an “adequate level of data protection” from an EU point of view, despite the regulatory framework of the UK remaining the same as it was.
As a sensible precaution, the ICO is recommending that businesses work with EU and EEA organisations who transfer personal data to and from them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data. This involved not only conducting and documenting a risk assessment for every processing activity, updating all data protection and information security policies and procedures, including the Records of Processing Activities, but also testing the control measures identified.
If organisations want more advice on how to go about this then please don’t hesitate to contact us.