Despite previously receiving assurances from the EU on UK adequacy on data transfers, it now appears this is not guaranteed or assured.
What preparations should I take now to prepare our organisation in the event this does not pass through European parliament.
New EU SCCs are on the horizon, and should be announced before the transition period with the UK ends, so I would hang fire on incorporating existing SCCs into any drafts.
As Ian mentioned, the UK has given all EU (in fact, all EEA) countries adequacy in an amendment to the Data Protection Act 2018.
If you have EU based entities providing personal data into UK based processors/Controllers I would suggest prioritizing those contracts/Intra-group agreements and getting ready to potentially implement the EC Standard contract Clauses (these are the only ones available at present) – either controller to Processor or controller on these contracts. UK to EU data flows should be unaffected, given the UK has already deemed the EU adequate.
There is also the issue of Transfer Impact Assessment following the schrems II judgement, but for now I’d say key is to identify those transfers impacted and get access to their contracts if you can and then see if adequacy or an extension to sorting this out is given