What should UK business do when it comes to GDPR if no deal Brexit actually takes place?
At first glance, no deal Brexit should not pose a major problem for UK businesses. The UK applies GDPR and will continue to apply it, either directly or based on Data Protection Act 2018. There are no major plans to change the principles or even the rules of GDPR. It could be business as usual. But not quite.
No deal data transfers EU-UK
The transfers of personal data from the EU to the UK will be deemed transfers to a third country. Whereas one could expect the European Commission to issue an adequacy decision for the UK based on the UK’s law being based on EU GDPR, this decision might not be timely. Accordingly, businesses might need to cover such transfers, most likely using Standard Contractual Clauses (SCC). The ICO has decided to help them out with this tool: https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/y
The good news is that the UK government has stated that, when the UK exits the EU, transfers to the EEA from the UK will not be restricted. There will be transitional provision for a UK adequacy decision to cover these transfers. This means you will able to continue to send personal data from the UK to the EEA without any additional requirements.
Appointing a data protection representative in the EU
Depending on what you do, you may need to appoint a data protection representative in the EU. This will most likely be the case if you are offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the EU, for example via a website. Similarly, this will apply to your online or offline monitoring of people’s behaviour as far as this behaviour takes place within the EU. Where you have a subsidiary in the EU, they can act as your representative, and if you have a branch established in the EU, no representative would be required.
