The European Data Protection Board (EDPB) – the panel of EU privacy regulators – has published an information note on data transfers under the GDPR in the event of a no-deal Brexit. The note explains that in the absence of an agreement between Europe and the UK, the UK will be deemed an inadequate “third country” after the Brexit on March 30, 2019.
The note instructs organizations that need to transfer data to the UK to take the following steps in preparation for a no-deal Brexit –
1. Identify what processing activities will imply a personal data transfer to the UK
2. Determine the appropriate data transfer instrument for the organizations’ situation
3. Implement the chosen data transfer instrument to be ready for 30 March 2019
4. Indicate in the organizations’ internal documentation that transfers will be made to the UK
5. Update the organizations’ privacy notice accordingly to inform individuals.
The note further explains that the transfer of personal data to the UK must be based on one of the recognized instruments, such as standard or ad hoc data protection clauses or binding corporate rules.
Regarding data transfers from the UK to member states of the European Economic Area (EEA), the note echoes the UK Government’s position according to which personal data is permitted to flow freely from the UK to the EEA, in the event of a no-deal Brexit. To this end, the note recommends that organization regularly review the websites of the UK Government and the Information Commissioner’s Office (ICO – the UK privacy regulator).
Click HERE to read the information note.
This article was published in the Internet, Cyber and Copyright Group’s February 2019 Newsletter.