Guardum comment: data adequacy decision

With time running out to secure a data adequacy decision before the end of the Brexit transition period – Darren Wray, CTO at data privacy experts Guardum offers the following comment and advice for businesses to be prepared:

“As crazy as it may seem given that the UK has been part of EU Data Privacy since 1984, when the UK ends its transitionary stage with the EU at the end of the year, it will not automatically retain its GDPR equivalency. The UK will become a ‘third country’, meaning that personal data cannot be transferred to the UK without special contractual agreements being put in place by organisations and their partners. Unfortunately, the validity of such contractual arrangements is likely to be challenged.

If this situation wasn’t complicated enough, a recent court case between Max Schrems and Facebook in Ireland has seen the ability for organisations in the EU to send data to the US for processing. What difference does this make to the UK? Well, the Schrems II ruling was based on the US Government’s abilities to seize or snoop on data without the ability for citizens (EU or otherwise) to have any recourse. These abilities were revealed as part of the revelations by Edward Snowden. Unfortunately, the UK was also named as a partner in many of the global surveillance programmes revealed by Snowden. This, combined with regulation such as the Regulatory Investigatory Powers Act 2000 (RIPA) which enshrines state surveillance in UK law, means that EU firms will be forced to see the UK as not offering adequate EU data protection.

So what should companies with partners in the EU and other parts of the world be doing now to prepare for the end of the UK’s transition?

  1. Understand your data flows

Make sure that you know what personal data you are sending, to who and what country they are based in. This should be something that all organisations have a good understanding of as part of their GDPR compliance, but things change, so now is a good time to make sure that everything is up to date.

Don’t forget to include the companies who host your corporate data, including services such as Office 365 that provide data storage and the processing of email.

  1. Understand your client and vendor agreements

Checking through your client and vendor agreements so that they can be amended ahead of time is something that every organisation ought to be doing right now. Unless firms have paid attention to this particular area in the past then there is likely to be at least some work to be done.

  1. Ensure the protection of your unstructured data

One of the things that is going to change is that, whereas before a company based in the EU could encrypt a document and send it to its UK partner for processing, in future they are likely to need to redact or remove the personal information in any documents. So before they are sent back and forth, they should use automated redaction software to minimize the risks and the workload of this process.”


To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922

Subscribe to our newsletter

Don't miss new updates on your email