In late Spring 2018, inboxes across Europe were being clogged up with emails from businesses, eager to explain how their privacy notices had been updated to cater for a new EU law: GDPR.
Roughly 18 months later, Northern Irish businesses ought now to be considering how they may continue to be subject to the requirements of GDPR and equivalent UK legislation from the end of the year, including how GDPR will continue to apply to their customers and suppliers in the EU27, and whether GDPR might block the sending of personal data from the EU27 to the UK.
As of the end of the Transition Period, the UK will become a “third country” for the purposes of GDPR and, unless a Brexit deal is reached or a decision of adequacy is made by the European Commission before then (in which case, businesses would breathe a sigh of relief that not much as much needs to change in how they operate), additional measures and contractual documents will be needed to ensure cross-border data transfers into EU27 can continue, privacy notices will (again) need to be updated, data maps will have to be re-drawn and representatives based in EU27 may have to be appointed. We have been assisting numerous clients in better understanding, and preparing to comply with, their obligations in that regard.
The risk here is not just from data regulators (some of whom may be prepared to take a relaxed approach, in the early stages at least), but from nervous customers in EU27 who need to be reassured that the UK company has taken the appropriate steps for personal data to continue to be sent across the border. Indeed, this could pose an opportunity for UK businesses to position themselves to provide that reassurance and, not only retain their own customer base, but perhaps capitalise on a competitor's lack of preparedness.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
