The EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here).
The Information Note on Data Transfers warns, once again, that the UK will be a ‘third country’ from 30 March 2019. As a result, personal data cannot be transferred from the EEA to the UK unless organisations implement a data transfer mechanism under the GDPR, such as standard contractual clauses; ad hoc contractual clauses (authorised by the competent supervisory authority, following an opinion by the EDPB); binding corporate rules (BCRs); codes of conduct and certification mechanisms, or a derogation. In regard to data transfers from the UK to the EEA, the UK Government have confirmed the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.
The EDPB sets out 5 steps that organisations should take to prepare for a no-deal Brexit, including:
1. Identify what processing activities involve a personal data transfer from the EEA to the UK;
2. Determine the appropriate data transfer mechanism;
3. Implement the transfer mechanism by March 30 2019;
4. Indicate in your internal documentation that transfers will be made to the UK; and
5. Update privacy notices to inform individuals that transfers will be made to the UK.
The Information Note on BCRs provides guidance for companies which have the UK ICO as their BCR lead supervisory authority. The EDPB recommends such companies take the following steps:
- Groups headquartered in the UK wishing to apply for BCRs should identify the most appropriate BCR lead supervisory authority in an EU Member State;
- Groups with BCRs at the review stage by the ICO should identify a new BCR lead supervisory authority. That new authority will take over the application and initiate a new procedure at the time of a no-deal Brexit;
- If a draft ICO decision approving BCRs is pending before the EDPB at the time of a no-deal Brexit, the group should identify a new BCR lead supervisory authority. The new authority will take over and resubmit a draft decision for approval of the BCRs to the EDPB; and
- ICO authorised BCR holders should identify their new BCR lead supervisory authority.
The EDPB highlight that the supervisory authority that may be approached to act as new lead authority will consider, in cooperation with other concerned authorities, whether it is the appropriate BCR lead on a case by case basis.