Brexit: The deal is done. But what about your data room?

By Suzy Bibko, Content Marketing Manager, EMEA

There were plenty of sceptics. The ones who said it couldn’t be done. That we’d see yet another deadline come and go. But an agreement has been reached. And on December 31, 2020, the UK finally left the European Union (EU). Now that the deal is finally done, how does this affect data regulation and, most importantly, your data room?

Steady on
Despite the fear that Brexit would add increased complexity and uncertainty to laws, the good news is that nothing has really changed when it comes to data transfers between the UK and the EU for the time being. The recent EU-UK trade deal includes transitionary provisions stating that transfers of personal data from the EU to the UK will not be considered transfers of personal data to a third country until either (1) the European Commission adopts an adequacy decision in relation to the UK or (2) May 1, 2021 (which will be extended for two additional months unless either party objects). The EU’s General Data Protection Regulation (GDPR) continues to be the highest standard of data protection in the EU, with which the UK substantially already complies as its Data Protection Act was written to mirror the requirements in GDPR.

In fact, the Information Commission Officer (ICO), the regulatory body that enforces the UK’s Data Protection Act (DPA), has advised that the best preparation for data protection after Brexit is to comply with the GDPR. It has stated that the “UK is committed to maintaining the high standards of GDPR and the government plans to incorporate it into UK law alongside the Data Protection Act 2018 after Brexit.” Moreover, the ICO has made clear that, “The UK government has stated that transfers to the EU will not be restricted. So if you send data from the UK to the EEA you will still be able to do so and you don’t need to take any additional steps.”

But what about data transfers from the EU to UK? Although an “adequacy” decision (Article 45 of the GDPR) has not yet been reached, which would establish that the UK’s data protection regime is “essentially equivalent” to that of the EU, one is expected in the future, as the UK has strong legal protections regarding personal identifiable information (PII).

In the meantime, if a business in the EU is sending personal data to the UK, then that business still needs to comply with EU data protection laws, and additional steps may need to be taken to ensure the data can be transferred. Those based in the EU transferring data to the UK under the GDPR will need to have a Data Processing Agreement (DPA) that includes a Standard Contractual Clause (SCC) stating that clients agree to provide data in compliance with the GDPR.

Compliance first
At Datasite, we take data security and data protection very seriously. As server location is not impacted by Brexit, Datasite ensures that all UK and EU projects are hosted and serviced in the EU under the highest standard of data protection (GDPR). This includes hosting projects on servers located in Germany and serviced by the Client Services team in the UK and EU. Moreover, Datasite is 100% GDPR compliant and has the highest levels of data security in place and continues to invest in European client services and hosting facilities to preserve full localization of projects in the EU.

“Data protection is priority number one for Datasite,” says Patricia Elias, General Counsel, Datasite. “We are in full compliance with GDPR and are continually monitoring the regulations and standards with respect to data protection. We provide ongoing reviews, assessments, and training regarding data protection practices and obligations. In this way, we ensure best practices are met and industry-leading solutions are implemented where personal information is concerned. We want there to be no doubt that your data is safe with Datasite.”