With the United Kingdom voting to leave the European Union in 2016, the UK and EU have been negotiating to secure a trade and security agreement before 2020 ends. At the time of writing, post-Brexit trade deal negotiations between the UK and EU are continuing in Brussels amid reports that progress in the talks could see a deal this week.
Clearly, many eyes are on these negotiations, looking to understand the implications for businesses – both those in the UK looking to sell outside it, as well as those looking to do business with UK customers. The GDPR will be retained in domestic UK law at the end of the transition period, but the UK will have the independence to keep the framework under review and make changes.
Here are answers to some questions you might have about the UK departing the EU.
Can my company still transfer personal data to/from the European Economic Area (EEA)?
If you are a UK business or organization that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance at the end of the transition period.
If you are a UK business or organization that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
These steps might vary depending on the following factors:
- If the European Commission gives the UK an adequacy decision on its data protection protocols before 2021, companies do not need to take any action with regard to the transfer of personal data.
- If the Commission does not give the UK an adequacy decision before 2021, companies that transfer personal data to the UK must use a transfer mechanism that complies with the supplementary measures established by ‘the Schrems II Case’. For most businesses and organizations, Standard Contractual Clauses (SCCs) are the best way to keep data flowing to the UK.
- The UK government has stated that transfers to the EEA will not be restricted. That means companies sending data from the UK to the EEA will still be able to do so without taking any additional steps.
How will the shift affect 2Checkout merchants?
As a merchant, you may be wondering about the impact of this ruling and you may have some questions about the whole process. As your trusted commerce partner, we’ll continue supporting you through all regulatory updates. Currently, our business relationship continues to rely on SCC, and we will inform you of any changes. You can always find up-to-date information on 2Checkout data flows by reviewing our terms and conditions and our service agreement.
How can I get more information on key data protection requirements to consider at the end of the UK’s transition period?
The UK Information Commissioner’s Office (ICO) held a webinar aimed at small and medium organizations that discusses and focuses on the role of the ICO, how data can continue to flow to and from the UK, the impact of the Schrems II judgment and the requirements for EU Representatives.
We encourage our business partners to keep an eye on news from these reliable sources:
- European Commission
- UK Information Commissioner’s Office: Data Protection at the end of the transition period
- European Data Protection Board: What non-EU and non-UK companies should know about Brexit and the Data Protection Representative
2Checkout will continue to stay on top of discussions and decisions for a potential post-Brexit deal, monitoring impact on data protection regulations and taking the necessary steps to ensure compliance for all our merchants. Follow our updates to keep up with developments in this area.