The UK (including Northern Ireland) will become a “third country” for the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) after 29 March 2019 if there is a No Deal Brexit. 

This means that the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK will change as transfers of personal data to the UK will be subject to the rules on international transfers to third countries provided for in the GDPR and other EU directives and regulations. 

Organisations need to prepare now to ensure they have appropriate safeguards in place to allow data flows to the UK to continue after 29 March and to prevent a No Deal Brexit having a detrimental impact on their business. 

To date, the EU Commission has stated that the adoption of an adequacy decision, which would permit transfers of personal data to the UK, is not part of the Commission’s contingency planning.  

Action required now

Review Data Flows: Organisations established in the EU that are transmitting personal data will need to review their personal data flows and seek to isolate personal data that is being transmitted to and processed in the UK.  The contracts underlying these  transfers should also be reviewed. These transfers will, after 29 March 2019, be considered “restricted transfers.”

Actions: Once restricted transfers have been isolated, there are a number of options available to organisations to lawfully transfer personal data to the UK:

• the parties to a contract involving restricted transfers may insert model Standard Contractual Clauses (approved by the European Commission) in the contract which will provide the appropriate safeguards to permit the transfer of personal data to the UK;
• where restricted transfers are being made between entities within a multinational group of companies, or groups of enterprises engaged in a joint economic activity, an application may be made to the competent data protection authority (ies) for binding corporate rules (“BCRs”) to be adopted by the group, that will provide the appropriate safeguards.  BCRs are legally binding internal rules, similar to codes of conduct, which set out the group’s common data processing standards;
• consider whether the restricted transfers would fall within one of the derogations provided in the GDPR namely, where explicit consent to the restricted transfer is provided by the owner of the personal data, where the restricted transfer is necessary for the performance of a contract or where the restricted transfer is required for reasons of public interest, public security or the exercise of legal claims;
• update the company/group Privacy Notice and other relevant documentation (including any clauses relating to consent) to include the granting of permission to transfer personal data to a third country, as defined under the GDPR.

The UK has stated that it will treat data protection laws in the EU equivalent to UK laws in the event of a No Deal Scenario.

Action required now

As such, the transfer of data from businesses operating in the UK to businesses in the EU should not be impacted in the event of a No Deal Brexit.