Brexit, GDPR, AND The Timeline for Data Breaches Friday, January 22, 2021 The European Union (EU) and the United Kingdom (UK) finally came to an agreement on 24 December 2020 (EU-UK Trade and Cooperation Agreement, the Agreement), less than ten days after the European Data Protection Board (EDPB) published a statement on the consequences a no-deal situation would have on the flows of personal data between the EU and the UK (for previous coverage of General Data Protection Regulation (GDPR) and Brexit, please see our alert here). This statement has since been updated on 13 January 2021. According to this Agreement, until 30 June 2021, any transfer of personal data to the UK will be made under the current framework and will not be considered as a transfer of data to a third-party country. Nevertheless, at the end of this six-month grace period, and unless a compromise is found through an “adequacy decision,” the UK will become a third-party country in the eyes of the General Data Protection Regulation no.2016/679. Consequently, all personal data from the EU to the UK will be considered a transfer of personal data outside of the EU, to a country not offering an “adequate level of data protection” from an EU point of view, despite the regulatory framework of the UK remaining the same as it was.