Currently, personal data can move between organisations across the EU/EEA without restrictions as the UK has a common data protection regime in the GDPR. However, once the UK leaves the EU that situation will change. UK Government has already committed to allowing data to continue to move into the EU/EEA, as well as to the 13 countries the EU has already deemed as having adequate data protection systems in place, so transfers out of the UK will not be affected. However, transfers into the UK from EU member states may be affected.
The EU does have a number of mechanisms to allow data to be transferred to countries outside the EU – the main one being the adequacy decision which confirms a third country’s data protection regime is adequate compared to the GDPR. UK Government has confirmed they intend to seek an adequacy decision from the EU after exit, but this process cannot start until after we have left. Receiving an adequacy decision may take some time. The UK Government is committed to seeking an adequacy decision and the process for this will commence during the transition period, should a deal be agreed. However, if the UK leaves without a deal, there will be a period of time where the UK is a third country without an adequacy decision and transfers out of the EU to the UK may be in breach of the GDPR. This may mean that data flows will be disrupted as businesses in the EU who transfer data in breach of the GDPR may be subject to extensive fines.
DCMS and Welsh Government are working to ensure that businesses across Wales are aware of the issue and are aware of the guidance which has been prepared by the Information Commissioner, and the support available to businesses to prepare for any impact they may identify. If you have any queries please contact: firstname.lastname@example.org