If you have operations across the EU, or are a UK company with customers in other parts of the EEA, you should consider what contractual preparations may be needed for when the UK becomes, in data protection terms, a ‘Third Country’ on 29 March 2019.
To date, many have placed hopes in the EU issuing an ‘Adequacy Decision’ in relation to the UK that would apply from 29 March 2019 – the Brexit Date. However, the EU has now advised that it will not consider such a decision until the UK becomes a Third Country after 29 March 2019.
If a bespoke data protection agreement with the EU is not signed, or there is a ‘no deal’ Brexit, intra-organisational flows of personal data in the EU may be impeded unless the EU’s standard contractual clauses (SCCs) are in place. Most European customers of UK businesses will also need to rely on the SCC mechanism to transfer their data to UK suppliers in these circumstances.
Do you need to prepare contractually for this possibility? While SCCs need not be put in place now, establishing a mechanism to incorporate these clauses into contracts or intra-organisational agreements from the Brexit Date if no deal is reached may be a step worth taking to mitigate both compliance risk and operational disruption.
If this issue will affect your business, please get in touch with us to discuss your position.