Bank of England urges business to address data protection ahead of end of transition period

In a ‘Dear CEO’ letter jointly sent out today by the Bank of England’s regulatory bodies – the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) – UK business leaders have been urged to ensure data compliance ahead of the end of the Brexit transition period on 31 December.

The letter, headed ‘Final preparations for the end of the transition period’, notes that the transition period, which began when the UK left the EU on Friday 31 January 2020, is due to end at 11pm on Thursday 31 December 2020.

The missive says that it is imperative that firms continue to build on their preparatory work to ensure that they, and to the extent possible their clients, are ready for a range of scenarios at the end of the transition period.

The letter adopts a positive tone when it says that “as noted by the Financial Policy Committee (FPC) in its statement on Thursday 8 October 2020, most risks to UK financial stability that could arise from disruption to the provision of cross-border financial services, should the transition period end without the UK and EU agreeing equivalence or other arrangements for financial services, have been mitigated”.

“This reflects the extensive preparations made by authorities and the private sector over a number of years,” it adds.

However, one potential area of concern is that of data. As the PRA and FCA observe, “in the absence of a decision by the European Commission on UK data protection adequacy, the use of standard contractual clauses (SCCs) in relevant contracts is one of the available ways that EEA firms can comply with the EU’s cross-border personal data transfer laws after the expiry of the transition period”.

The letter goes on to say that UK firms are generally well-advanced in making arrangements for the implementation of these clauses into UK-EEA contracts, but stresses:

“You may need to consider whether contracts involving the transfer of personal data to your firm from the EEA (where those contracts have not yet been remediated) need to be updated to comply with EU requirements or to consider other appropriate measures for personal data transfers from the EEA into your firm in the UK, where this is necessary to ensure the continuity of services to your firm. This could include reviewing the position for EU vendors or third parties on which your services rely.”

“Where SCCs are in place please note the advice from the European Data Protection Board and the UK’s Information Commissioner’s Office, and applicable EU case law.”