The GDPR (General Data Protection Regulations) were introduced by EU law but have been incorporated into UK law by the Data Protection Act 2018, so ultimately, most things will stay the same regardless of what happens with Brexit.
No Deal Brexit and GDPR | International Data Transfers
This will be the main area your organisation needs to prepare for. Even if you think you don’t transfer personal data internationally, you’d be surprised to find you actually might, even if it’s just where your personal data is stored on a cloud. For those who already comply, the main change will be your transfers to the EEA (EU countries plus Iceland, Norway and Liechtenstein).
1. If you have no contacts or customers in Europe…
As long as you comply with the GDPR and Data Protection Act 2018 now, there is little you need to do in preparation for Brexit.
If you don’t yet comply, get in touch today to find out about the GDPR services we offer to help you become compliant.
2. If you send or receive personal data to or from Europe…
Sending personal data to Europe will not be restricted so you can continue to do so (provided you’re compliant already) without the need for any additional steps. If you receive data from Europe you’ll need to take steps to ensure the data can continue to flow and you can do this by having a contract in place between you and the sender. This is because the sender in the EEA needs to be compliant in order to send data to the UK.
Although it’s their responsibility to ensure they are doing this in line with GDPR, commercially it may be within your interests to assist them to ensure the data continues to flow. This is because the UK would be considered a country that is not listed as adequate and as such there would be limitations in place for EEA countries to transfer data to the UK unless the UK is awarded adequacy status.
However to be awarded adequacy status could take at least 12 months years and is not even guaranteed, so having measures in place now would be advised.
3. If you have a European presence or European customers…
If you have offices or branches in the EEA, your European activities will be covered by EU law. If you are based in the UK but offer goods and services in the EEA you will need to comply with EU data protection laws in regards to those activities. You may also need to appoint a representative in the EEA to act as your local representative. It can’t be your current Data Protection Officer (DPO).
4. If you send or receive personal data to or from countries outside Europe…
This is likely to remain the same and there should be an adoption of current EU adequacy and approved transfer safeguards over time. Therefore if you currently comply, there is unlikely to be much more you need to do.
Make sure you update your existing data protection documentation including privacy notices and data protection impact assessments with any changes you make.
The above is all based on there being a no deal Brexit without any agreed arrangements in place for data protection. It could all change if there is a deal and we will update our GDPR clients accordingly. A no deal would be worst case scenario so it doesn’t harm by being prepared and understanding what you need to have in place in preparation for this.
For additional advice on your current GDPR compliance or following Brexit, get in touch with our legally trained GDPR practitioners.