Brexit: high data protection effort expected

The question of how Great Britain will leave the EU on 29 March remains exciting till the very last moment. The probability of a “hard” Brexit without a withdrawal agreement is increasing. Companies with a branch in the UK, for example, should therefore use British data processing service providers or use cloud services based there for the time being, especially since the European Data Protection Board has made it clear that it will not grant a transitional period for the prosecution of data protection violations.
In case of Brexit with a withdrawal agreement, companies can transfer data to the UK on this basis. It is very likely that the Commission considers the British level of data protection to be appropriate and would declare Great Britain a safe third country in the sense of Art. 45 GDPR with an adequacy decision.
In the case of a hard Brexit, Great Britain would have to be treated like any third country. Something else would only apply if the Commission took an adequacy decision, which would also be possible in this case. This would be a relatively straightforward procedure, as the Data Protection Act, adopted by the UK Government in 2018, meets the requirements of the GDPR. Whether the Commission would take the decision, however, is a political question and cannot be foreseen at present.
Without this decision, or pending its adoption, companies will have to adapt their data subjects’ rights procedures, privacy statements and other documentation accordingly and possibly update their privacy impact assessments. The obligation in Art. 46 GDPR to create one of the guarantees mentioned therein is more protracted and administratively more complex. This can be the use of the EU standard contract clauses issued by the Commission; the clauses are basically intended for contracts between two independent companies, but can also be used for internal data transfers. Binding internal data protection rules or individual contractual clauses approved by the competent supervisory authority also provide the necessary guarantee; industry associations may have rules of conduct that need to be approved.
Without such a guarantee, companies can, if necessary, invoke the exceptions regulated in Art. 49 GDPR, such as the consent of the data subject or the necessity of data transmission for the provision of the service.
Further information can be found in the publications of the European Data Protection Board: