Current CNIL recommendations on No-Deal Brexit

On 10th of September the French data protection authority CNIL published information on the effects of a no deal Brexit on the transfer of data from EU to Great Britain.

As things stand at present, the United Kingdom will leave the European Union on 1 November 2019 and from that date will be regarded as a so-called third country for the transfer of data under the GDPR. This requires special measures for data transfer after the Brexit.

The CNIL recommends that companies wishing to transfer personal data to the United Kingdom after Brexit take the following five steps to comply with the GDPR:

  1. Identification of processing activities concerned
  2. Determination of the appropriate transfer mechanism (e.g. standard contractual clauses)
  3. Implementation of the data transmission mechanism by 1st of November 2019.
  4. Supplement to internal documentation on data transfers to the United Kingdom
  5. Updating the Privacy Statement to reflect data transfers outside the EU

The CNIL FAQs discuss GDPR-compliant data transfer mechanisms such as standard contract clauses, ad hoc contract clauses, binding company rules, codes of conduct and certification mechanisms. The CNIL emphasises that the chosen mechanism must be effective by 1st of November 2019 – as a rule, standard contractual clauses will therefore be used.