The European Data Protection Board (EDPB) last week adopted a paper clarifying the position in relation to data transfers between the EU and UK in the event of a no deal Brexit.
The EDPB confirmed that if the UK exits the EU without a deal, then with effect from 30 March 2019 the UK will be regarded as a “third country” for the purposes of the GDPR and any transfers of personal data from the EU to the UK from that point. The UK will in effect be treated in the same way as other “third countries” (such as India and the US) from that date.
This post summarises the impact of the EDPB’s note and outlines the practical implications and steps which UK businesses may want to consider. In the discussion below, we refer to transfers into and out of the European Economic Area (EEA) rather than the EU because the EEA countries have adopted the GDPR, and the position relating to data transfers will be the same in respect of the three additional EEA countries, as for the core EU countries. Readers may also find it useful to review our previous blog post on the data protection implications of a deal/no deal Brexit which contains our GDPR Brexit flowchart.
Click here to read more.