In the absence of an agreement between the EEA and the UK (no-deal Brexit), the UK becomes a „third country” as of 00.00 am CET on 30 March 2019. This means that the organisations should revise those of their processing activities, which imply transfer of personal data to the UK.
The European Data Protection Board (EDPB) adopted an information note on 12 February 2019, which provides further details to commercial and public organisations for the transfer of personal data to the UK in the event of a no-deal Brexit. The EDPB recommends the following 5 steps organisations should take to prepare for a no-deal Brexit, when transferring data to the UK:
- Identify what processing activities will imply a personal data transfer to the UK;
- Determine the appropriate data transfer instrument (see Chapter V of GDPR) for the organisation’s situation;
- Implement the chosen data transfer instrument to be ready for 30 March 2019;
- Indicate in the internal documentation that transfers will be made to the UK;
- Update the privacy notice accordingly to inform individuals.
As to the data transfers from the UK to EEA Member States, according to the UK Government, the current practice (i.e. which permits personal data to flow freely from the UK to the EEA) will continue in the event of a no-deal Brexit.