Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The treaty has been agreed.

You may have noticed recently that the UK has decided to leave the European Union, in a process commonly known as Brexit.

We posted a blog article earlier this month on the changes to data protection resulting from Brexit, and now that a treaty has been agreed at the eleventh hour between the EU and the UK we felt an update was appropriate.

GDPR image with electronic devices

Adequacy decision delayed

The main issue that was outstanding in the area of data protection was whether the EU would grant an adequacy decision to the UK. This would mean that transfers of personal data from the EU to the UK would be allowed without putting any additional safeguards in place. The treaty still doesn’t answer this question; what it does instead is provide for a four month grace period (also being referred to as a “data bridge”), extendable by a further two months (indications are that this is very likely to happen), to cover such transfers, as long as the UK doesn’t make any significant changes to its laws or exercise many of the provisions made within them.

During this time, the question of UK adequacy will still be considered by the EU. If it is granted then the grace period will end. If it is not granted at the end of the six month period, then in theory we enter a situation where the UK is considered an “inadequate” country for transfer purposes, and appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be required.

Will they or won't they?

The results of the EU’s deliberations are by no means a foregone conclusion; some would say that a refusal by the EU to grant the UK an adequacy decision, given that the UK has decided to adopt data protection laws very similar to the EU (the UK GDPR), would be hard to justify, and would make it more difficult for such decisions to be made in favour of other countries that are also being considered. On the other hand, the recent Schrems II judgement by the European Court of Justice which destroyed the EU US Privacy Shield scheme may make such adequacy decisions harder because it places a brighter spotlight on government use of personal data.

Should action be taken now?

If your organisation currently transfers personal data from the EU to the UK, you now have a further six months to think about how best to justify it. You could cross your fingers and hope that the EU makes that adequacy decision, or you could start now to plan a contingency (if you haven’t already) to cater for the situation where the decision doesn’t go the UK’s way. I think I know which I would do.

As a last note, it’s worth making the point that this grace period doesn’t affect the need to appoint a representative in the EU and/or the UK to deal with data subjects and supervisory authorities. CertiKit has partnered with DataRep who provide such services, so get in touch with us at [email protected] and we can give you a discount code for 10% off their rates.

We’ve helped more than 4000 businesses with their compliance


The documents are super easy to follow. You give very clear instructions on how we can make it our own. Keep up the good work.

i2x GmbH

View all Testimonials