With so much political uncertainty surrounding Brexit and what it might mean for the UK, businesses can be forgiven for assuming that they can do little to plan for it. However, in terms of data protection, there are a few important steps that a business can take to prepare. One of the most important of these steps relates to ensuring that cross-border transfers of personal data can continue in the event of a no-deal Brexit.
International Data Transfers
Transfers from the EEA to the UK
Irrespective of whether there is a no-deal Brexit or not, the GDPR will continue to apply in the UK in conjunction with, and subject to, the Data Protection Act 2018. However, this does not mean that nothing will change in relation to transfers of personal data from the EEA. This is because, unless a withdrawal agreement mandates otherwise (which, at least in the short term, seems unlikely), the UK post-Brexit will be considered a 'third country.'
The result of the UK being a "third country" is that the GDPR's general prohibition on the transfer of personal data from any country in the European Economic Area ("EEA") will apply. As such, companies will need to rely on a GDPR compliant lawful transfer mechanism (e.g. the Standard Contractual Clauses) in order to permit the transfer of personal data from the EEA to the UK.
Transfers to the EEA from the UK
The UK government has confirmed that the UK will continue to allow the free flow of personal data from the UK to the EEA in the event of a no-deal Brexit (meaning that no lawful transfer mechanism is required in relation to these data flows).
Transfers from the UK to non-EEA countries
With respect to data transfers from the UK to non-EEA countries, the same law will continue to restrict those data transfers as is currently the case. So, in other words, the European Commission's adequacy decisions will continue to apply and, with respect to non-adequate countries, companies will still need to rely on a valid lawful transfer mechanism to transfer personal data...