Handling personal data is an issue all organisations face with Brexit closely approaching especially if a no-deal Brexit was to take place. However, in the event of a no-deal Brexit, there would be no immediate change in the Uk’s own data protection standards.
The Data Protection Act 2018 would still remain intact and the EU Withdrawal Act would incorporate the GDPR inline with the UK law.
However, the legal framework governing the transfer of personal data from EU to the UK would change on exit. All transfers of personal data from the EU to the UK will need to have lawful transfer mechanisms in place, in order to be permissible under the EU law.
Organisations would still be able to continue to send personal data from the UK to the EU. As the UK at the point of exit; continue to allow the free flow of personal data from the UK to the EU. With the UK keeping this under review.
What you would need to do
The European Commission has not yet indicated a timetable for this and has stated that the decision on adequacy cannot be taken until we are a third party country.
If there is no adequate decision regarding the UK at the point of exit and you to receive personal data from organisations established in the EU (including data centres) then you should consider assisting your EU partners in identifying a legal basis for those transfers.
To continue trading with as little or no disruptions organisations need to show that they have sufficient measures in place for their customers’ data, as Brexit doesn’t give organisations any exit clause, especially those ones who will continue to hold the personal data of EU citizens going forward.
