A recent University College London study found, unsurprisingly, that ‘a no-deal Brexit would seriously disrupt the free flow of commercially valuable data between Europe and the UK.’ They also comment that ‘companies across the finance, hospitality, manufacturing and technology sectors facing “immense” extra costs’ according to a Guardian report late in August.
In the information economy, data transfer is the lifeblood of trade, so a no-deal Brexit could have serious economic consequences.
The Information Commissioner’s Office should be your first port of call for advice. As they note, ‘GDPR provides rules setting out when and how a transfer of personal data protected by the GDPR to outside of that protection may take place; this is usually because the data is moving to countries outside the EEA.’ However, ‘if you transfer personal data outside the EEA now, you should already have in place arrangements for making a restricted transfer under the GDPR.’
The ICO draw attention to two sets of rules to consider for the exit date, to be applied either if you are making a restricted transfer outwards from the UK; or if you are receiving personal data from outside the UK (including from the EEA) into the UK.
As it stands, things are still not completely resolved in these areas, see here the ICO’s current advice.
BCS does not have legal expertise in this area and we are apolitical with regard leaving the EU. But there is clearly substantial uncertainty around data transfer post Brexit at the moment, so we recommend that members urgently consult the ICO link to find out what they need to do to prepare if they want to continue transferring data outside the UK.