Both the European Data Protection Board and the Irish Data Protection Commission guide companies in the steps to take.
Background: Despite the efforts to reach an agreement, the UK’s exit from the EU without a deal is increasingly likely, as the 29 March 2019 deadline looms. Should that happen, the UK would instantly become a third country for purposes of personal data transfer.
What’s new? Almost simultaneously, the EDPB (today) and the Irish DPC (8 February 2019) published guidelines for companies to continue the transfer of personal data from the EU to the UK. In particular, the EDPB’s guide lists five steps to take to prepare: identify which activities will imply a transfer of data to the UK; determine the appropriate instrument; implement it before 29 March 2019; indicate what is done in the internal documentation; and update privacy policies to reflect the changes. Instruments include standard contract clauses, binding corporate rules, codes of conduct/certification mechanisms, or derogations.
Next steps: Companies need to be ready for a no-deal scenario by 29 March 2019. For transfer of data from the UK to the EEA area, the ICO should be consulted, although the UK government stated it aims to keep it frictionless.