"No Deal" issues & actions required now
The UK (including Northern Ireland) will become a “third country” for the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) after 29 March 2019 if there is a No Deal Brexit.
This means that the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK will change as transfers of personal data to the UK will be subject to the rules on international transfers to third countries provided for in the GDPR and other EU directives and regulations.
Organisations need to prepare now to ensure they have appropriate safeguards in place to allow data flows to the UK to continue after 29 March and to prevent a No Deal Brexit having a detrimental impact on their business.
To date, the EU Commission has stated that the adoption of an adequacy decision, which would permit transfers of personal data to the UK, is not part of the Commission’s contingency planning.
Action required now
Review Data Flows: Organisations established in the EU that are transmitting personal data will need to review their personal data flows and seek to isolate personal data that is being transmitted to and processed in the UK. The contracts underlying these transfers should also be reviewed. These transfers will, after 29 March 2019, be considered “restricted transfers.”
Actions: Once restricted transfers have been isolated, there are a number of options available to organisations to lawfully transfer personal data to the UK:
The UK has stated that it will treat data protection laws in the EU equivalent to UK laws in the event of a No Deal Scenario.
Action required now
As such, the transfer of data from businesses operating in the UK to businesses in the EU should not be impacted in the event of a No Deal Brexit.