GDPR and a no-deal Brexit: transferring data with the UK after March 29

Europe

With only 40 days to go until the deadline for the UK's exit from the EU, many businesses are now asking: if a no-deal Brexit takes place on 29 March 2019, how will this impact the transfer of data between the UK and the EU?

On 12 February 2019, the European Data Protection Board (EDPB) published an information note clarifying the steps that businesses should take to ensure the continued sharing of personal data with UK recipients in the event of a no-deal Brexit. This comes after the UK government communicated its intention to allow the transfer of personal data between the UK and the European Economic Area (EEA) without additional measures.

If the UK leaves the EU on 29 March 2019 without a deal, it will become a third country as defined by the General Data Protection Regulation (GDPR). Furthermore, prior to the exit date, the European Commission does not seem likely to issue a ruling that the UK's level of protection for personal data is adequate vis-à-vis the GDPR.

With this in mind, businesses can take the following steps to prepare for a no-deal Brexit:

  • Identify what processing activities involve the transfer of personal data between the EEA and the UK (i.e. information that is shared with a service center, cloud provider or service provider in the UK).
  • Prepare to have an appropriate data transfer mechanism in place for 30 March 2019.
  • Update internal GDPR documentation to reflect the fact that the UK is now a third country for data transfers. This includes records of processing (Article 30 GDPR).
  • Update privacy notices to reflect that personal data will be transferred to a third country (UK) and any safeguards that have been put in place.

The GDPR allows for several data transfer mechanisms. Given the limited time that remains until Brexit, however, implementing existing EC-approved model clauses seems to be the most feasible solution for businesses that cannot already rely on other mechanisms such as binding corporate rules for intra-group transfers (BCRs).

Businesses who use approved BCRs or have applied with the ICO, the UK's supervisory authority, for the approval of their BCRs will need to identify a new EU supervisory body as their lead authority.

Finally, businesses may also want to include Article 49 GDPR derogations in their preparations. These derogations allow for the transfer of personal data to third countries without an adequacy decision, for example when the data transfer is necessary for the performance of a contract with a data subject. Derogations, however, must be interpreted restrictively and relate to processing activities that are occasional and non-repetitive. More details can be found in the EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.

For more information on the GDPR and Brexit, please contact one of our CMS experts.