Brexit: Authorities will enforce unlawful data transfers

It seems very likely that the UK will leave the EU under a “no-deal” Scenario and become a third country in terms of data protection. Beside the fact that in the absence of an adequacy decision each transfer of personal data between the EU and the UK will need to be appropriately safeguarded, UK companies making business in the EU may have to designate an EU representative. In addition, according to the GDPR, companies concerned with the cross-border transfer of personal data obtained within the area of the EU will need to consider specific documentation and information obligations.

As the UK and the EU could not even agree on a transition period yet, all these data protection obligations are required to be in place as of the 30th March, 00:00 h (CET). The data protection authorities of the EU already announced that they will not grant a transition period regarding the required data protection measures and actions pursuant to the GDPR that need to be taken. The unlawful transfer or processing of personal data to or within the UK will thus not be tolerated by the EU supervisory authorities as of day one after BREXIT. Bearing this in mind, first and foremost, the EU Commission’s Standard Contractual Clauses should be in place if there is no other appropriate safeguard, e.g. Binding Corporate Rules (BCR), existent to ensure the lawfulness of the transfer of EU personal data.

If not yet done, now is the time to think about the required steps and develop a “BREXIT data protection strategy” in order to be compliant with the GDPR when the UK leaves the EU under a “no-deal” BREXIT.