At the moment the Brexit is characterized by the fact that the final result of the processes seems completely open. The resignation agreement negotiated by the ruling cabinet was clearly rejected by the House of Commons, which once again broadened the political options in which the economy must all think at the same time. Due to the political stalemate, various scenarios seem realistic: a so-called hard brexit, new or further negotiations on a withdrawal agreement, extended powers for the British parliament and correspondingly modified negotiations, a second referendum. What is certain, however, is that complications and risks to data protection and data security may also arise as of 30 March 2019.
Private companies dealing with data transfers and data storage in the United Kingdom can only watch these political processes passively as far as possible. However, there are certain precautions that stakeholders can take to ensure data security and privacy in this situation.
- Make arrangements for data transfers between the EU and the United Kingdom. If the UK leaves the EU on 30 March, it will automatically become a third country under data protection law whose data protection adequacy could be the subject of discussion under the DSGVO. In this case, precautions must be taken to ensure that data transfers to and from the United Kingdom can continue.
- Make arrangements for data transfers between the United Kingdom and third countries. Third countries could also no longer regard the UK as a safe third country with an adequate level of protection after leaving the EU. Here, too, some precautions need to be taken as far in advance as possible.
- Finding a replacement for the ICO, the British supreme supervisory authority
- Appoint an EU Data Protection Officer in the United Kingdom if the DSGVO remains applicable under Article 3(2) of the DSGVO.
- To contractually warrant and continue to comply with EU data processing standards for customers domiciled in the EU. In order to maintain a certain level of security for customers in the transition period after 30 March 2019, it is recommended that data processing providers in the United Kingdom contractually assure their customers of compliance with EU data protection standards.
- Continue to work GDPR-Compliant. In order to be recognised as a third country with an adequate level of protection and also in order not to lose customers from the EU, it is recommended that British data processing providers continue to work in accordance with the rules of the GDPR.
iapp.comDownload the presentation on “Collision Course? GDPR meets UK and Swiss law” by RA Nicole Beranek Zanon (de la cruz beranek) and RA Rohan Massey (Ropes & Gray).