Public and commercial organisations, including agencies, under a no-Brexit-deal scenario, should follow a five-step process when transferring data to the UK, according to the European Data Protection Board (EDPB).
Firstly, organisations should identify what processing activities will imply a personal data transfer to the UK. Based on that, they should determine an appropriate data transfer instrument (standard and ad hoc data protection clauses, binding corporate rules or codes of conduct and certification mechanisms) and implement it by the Brexit date. In their internal documentation they should indicate that transfers will be made to the UK and privacy notices to individuals should be updated accordingly.
These options are all in compliance with the General Data Protection Regulation (GDPR).
Regarding data transfers from the UK to the EEA, the UK Government has announced that the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.
As a result of Brexit, the UK will become a ‘third country’ in relation to the EU. If there is no special agreement in place between the two parties, all the EU rules and regulations will instantly cease to apply to the UK on 29 March 2019.