If there is a no-deal Brexit on 29th March, it will affect you immediately if you:
Following a no-deal Brexit there will be two separate (albeit very similar) data protection regimes in place: the UK one and the EEA one. If you carry out any of the activities set out above, you will have to comply with both regimes. The effect of the notice issued by the EEA regulators is that transfers of personal data from the EEA to the UK will, from 23:00 (London time) on 29th March, no longer automatically be compliant with the (EU) General Data Protection Regulation (EUGDPR).
There will therefore be immediate restrictions on transfers of personal data from the EEA to the UK. You and your EEA partner (where applicable) will have to implement one of the safeguards under the EUGDPR to make such transfers lawful unless you can rely on a derogation.
We therefore recommend that you take steps now to ensure the continued free flow of personal data if the UK leaves with no deal on 29th March.
If you only receive personal data in the UK from the EEA, you will not be subject to the same restrictions because the UK Government has confirmed that transfers of personal data from the EEA to the UK will continue to be compliant with UK law. Nevertheless, you may still find that your EEA partner asks for changes to your agreement with them (and possibly also to your data privacy policy) so that their own processing continues to be lawful under the EEA regime.
Which safeguard or derogation is most appropriate will turn on the facts of your particular situation. For example, an emergency transfer of medical information should be treated differently from the routine transfer of commercial information.
The safeguards most likely to be helpful at this stage are:
There are some multinational groups of companies that already have Binding Corporate Rules (BCRs). If so, these will continue to be valid. However, if the ICO acts as your BCR Lead Supervisory Authority then you will need to identify a new authority within the EEA.
The EUGDPR provides for certain situations where safeguards, such as those mentioned above, are not required. These are referred to as 'derogations'. For example, where the transfer of personal data is necessary for the performance of a contract with the data subject or where the individual has provided explicit consent for the transfer of their data. However, before relying on a derogation you should consider whether a safeguard can be used because derogations should mainly be used for transfers which are occasional and non-repetitive.
Whichever mechanism you choose to use, you should review your data privacy policies or transparency notices to ensure that they correctly reflect the new arrangements.
Once you have decided how to make your processing lawful and reviewed your privacy policies, you should update your data processing record accordingly.
Employers of EU nationals must also be aware of the impact a 'no deal' Brexit will have on their workforce, and should take steps to prepare accordingly.
It remains possible that a last minute resolution will be reached, but as the end of March draws closer, we now recommend that you prepare for a 'no deal' scenario in good time.