Skip to main content
Article | Risk Management Matters – Legal PI

Ten steps law firms can follow to protect data post Brexit

Financial, Executive and Professional Risks (FINEX)

By Joanne Cracknell | May 18, 2021

In this article we discuss what law firms need to do to comply with the requisite data protection legislation.


The EU-UK Trade and Cooperation Agreement (the Agreement)1 has established commitments by both the UK and EU which includes provisions to protect data. One of the specific data protection safeguards created by the Agreement was a bridging mechanism which permits personal data to continue to flow temporarily from the EU/EEA to the UK without additional safeguards. This came into effect on 1 January 2021 for a period of up to four months until the UK receives an adequacy decision from the European Commission.

This article considers what steps can be taken during the bridging period in order to comply with the requisite data protection legislation.

The bridging period

The four month bridging period can be automatically extended by a further two months if the EU and the UK agree. Data flowing from the UK to the EU/EEA should not be affected as the UK Government has determined that it considers all 27 EU countries and EEA member states to be adequate for the purposes of data protection.

In the event that an adequacy decision is not received at the end of the bridging period, the UK will be treated as a ‘third country’ and therefore all transfers of data from the EU/EEA to the UK must comply with the transfer restrictions in accordance with the EU General Data Protection Regulation2 (EU GDPR). Remember, the Data Protection Act 20183 will apply and the provisions of the EU GDPR have been integrated directly into domestic law on 31 December 2020 and have become the UK GDPR.

However, it would seem that the UK is one step closer to achieving the necessary approval as the EU has recently published its draft data adequacy decisions4. The EU Commissioner is hopeful that the Commission will be in a position to proceed with the adoption of the UK data and law-enforcement adequacy decisions ‘by the end of May, beginning of June’ in 20215. However, the decision is not yet fait accompli as Member State approval is required and the decision has been met with some hostility by EU law makers.

Ten actions to be taken during the bridging period

Whilst the intention is to grant the UK an adequacy decision before the end of the bridging period, this is by no means guaranteed. As discussed during the recent Willis Towers Watson Data Protection roundtable event held in January 2021, it is recommended that firms make good use of the bridging period to plan and prepare, and work with EU/EEA organisations with whom personal data is transferred to ensure compliance with the requisite data protection regimes.

It is also recommended that alternative transfer mechanisms are implemented to safeguard against any possible interruption to the free flow of personal data which can include binding corporate rules, standard contractual clauses, certification and codes of conduct and derogations (applying to EU data exporters only).

Much of the preparation work should have already been started in readiness for the transition period, but the message here is to not be overwhelmed by the enormity of the task ahead and to break each task into smaller ones.

Some recommended actions include these ten steps:-

  1. Carry out a mapping exercise in order to fully understand what data you process and why. Understand where it is stored and how it is transferred to ensure it complies with both the EU GDPR and the UK Data Protection legislation.
  2. Conduct an audit of your EU/EEA to UK data transfers and liaise with EU/EEA based clients and suppliers and consider putting standard contractual clauses in place. You may find the Information Commissioner’s Office’s (ICO) interactive tool6 helpful for this exercise.
  3. Consider whether you need to appoint a UK and/or an EU representative.
  4. Assess whether you need to appoint a new lead regulatory authority in addition to the ICO.
  5. Review and update privacy notices, consents and relevant policies and procedures to ensure they reflect the correct legislation and explain what types of data you hold and how personal data will be transferred.
  6. Consider the language in consent notices to assess whether they are adequate or whether you need to obtain fresh consent.
  7. Review data protection impact assessments and legal impact assessments to ensure that they are compliant.
  8. Tell clients, suppliers and other third parties what you are doing in relation to the transfer of data.
  9. Ensure staff are aware of the changes and what is happening and ensure training is provided.
  10. Maintain records of all action taken and decisions made.

Causes of Data Breaches

Regardless of where data is flowing, data must remain secure at all times and despite the pandemic and Brexit, personal data security breaches are to be reported to the ICO. Every quarter the ICO will publish statistics analysing reported data security incidents arising from personal data breaches in any sector, and the legal sector is no exception.

The latest figures published by the ICO relate to the data range period from 1 July 2020 through to 31 October 20207. During this period, which dealt with challenges businesses faced as a result of the pandemic and the change from physical to remote/hybrid working practices, the ICO received 186 data security incident breach reports (based on the number of reports submitted by legal sector data controllers and not necessarily the number of incidents).

Over half of the non cyber related breaches arose as a result of human error with the most common causes arising from data being emailed, posted or faxed to an incorrect recipient.

The breach reports are broken down into non cyber related breaches (132) and cyber related breaches (54). Over half of the non cyber related breaches arose as a result of human error with the most common causes arising from data being emailed, posted or faxed to an incorrect recipient. It is arguable that breaches resulting from phishing incidents also occurred due to human error, where members of staff were clicking on links in a phishing email.

Despite stark warnings being issued by law enforcement agencies about the increase in cyber crime during this period, cyber related breaches only accounted for 29% of the data breach reports received by the ICO. The most common causes were from:-

Unauthorised Access

* percentage of cyber incidents (54)

human error caused 90% of cyber data breaches in 20198.

The statistics for the period of 1 April 2020 to 30 June 2020 which covered the majority of the period of the first lockdown during March to May 2020 do not appear to be available on the ICO website, so we are not able to comment on whether the pandemic and people working remotely has resulted in an increase in data security incidents being reported to the ICO. However, what is clear from the figures is that despite the heightened threat of cyber crime and cyber attacks during the last 12 months, human error is very much responsible for data breaches and it has been reported that human error caused 90% of cyber data breaches in 20198.


Using the bridging period wisely will help you to take the necessary actions to demonstrate compliance with the relevant data protection regime. There are a wealth of resources available and firms should consult the guidance issued by the ICO9, the UK Government10, the Law Society11 and the European Data Protection Board to help them keep up to date and compliant and that data flows remain unaffected.


1 Gov.UK. (2021). Agreements reached between the United Kingdom of Great Britain and Northern Ireland and the European Union. Retrieved from the Gov.UK website

2 European Parliament and Council of European Union (2016) Regulation (EU) 2016/679. Retrieved from:


4 Gov.UK. (2021). UK government welcomes the European Commission’s draft data adequacy decisions. Retrieved from the Gov.UK website:

5 Krupa, J., (2021, March, 16). EU hopes to adopt UK data adequacy decisions by early June, Reynders says. Retrieved from the MLex website:

6 Information Commissioner’s Office. (2021). Keep data flowing from the EEA to the UK – interactive tool. Retrieved from the Information Commissioner’s Office:

7 Information Commissioner’s Office. (2021). Data security incident trends. Retrieved from the Information Commissioner’s Office website:

8 Hill. M., (2020, February 6). 90% of UK Data Breaches Due to Human Error in 2019. Retrieved from the Infosecurity Group website:

9 Information Commissioner’s Office. (2021). Data Protection after the end of the transition period. Retrieved from the Information Commissioner’s Office website:

10 Gov.UK. (2021). Using personal data in your business or other organisation. What action you need to take regarding data protection and data flows with the EU/EEA. Retrieved from the Gov.UK website:

11 Law Society. (2021). Brexit and the end of the transition Retrieved from the Law Society’s website:


Associate Director - Finex PI UK Legal Services

Related Capabilities

Contact Us