The UK data protection authority released advice and guidance to get ready for the worst-case scenario.
Background: As the date of the UK’s withdrawal from the EU looms (it is scheduled to happen on 29 March 2019), there is still uncertainty as to how Brexit will happen in practice. Despite the reassurance that Parliament and Government want to avoid exiting without a deal, such outcome is still a material risk.
What does no-deal mean for data protection? There is potential for heavy disruption to data-driven industries. While the UK Government has reassured about granting free flow of data from the UK to the EEA, things are much more uncertain for data going in the opposite direction. Without a formal adequacy decision of the European Commission, UK companies will not be able to continue the frictionless processing of personal data of EU.
What is the ICO doing about it? The regulator published three tools, including: a ‘Six Steps to Take’ guide; broader guidance on the effects of leaving the EU without a withdrawal agreement; and a general overview in the form of FAQs. In some cases, companies are invited to consider steps such as appointing a representative in the EU, and to identify which EU authority will be their ‘lead supervisor’ after 29 March. Companies are advised to plan ahead, and to make sure their key people are aware of the implications of a possible no-deal exit.