The last week has been a trying time for Brexiters and Remainers alike. Regardless of your individual affiliation, the potential implications for the protection of data across Europe should be a material concern. All UK organisations transferring data to, and more importantly receiving data from the EU must consider their legal position following one of the potential Brexit outcomes.
Although there are a number of scenarios that may unfold in the coming two months, for the sake of simplicity we have set out the potential data protection implications of a ‘soft’ and a ‘hard’ Brexit.
Scenario 1 – Negotiate a compromise
This scenario assumes that we proceed with the current Withdrawal Agreement  – more commonly referred to as a ‘soft Brexit’. Under the current ‘agreement ’, the UK will be bound to comply with "Union law on the protection of personal data".
Upon leaving the EU however, the UK would automatically become a ‘third country’ as defined within the GDPR. Transfers of data from the EU will still be permissible where the European Commission confirms that the UK Government upholds data protection standards to a suitable level, also known as an ‘adequacy decision’.
Although there has been some political posturing from the European Commission over whether it will grant the UK with an adequacy decision, it makes sense that this is more to strengthen the EU’s negotiating position to secure a soft Brexit, rather than an actual risk to UK organisations.
Although the near-term impact on UK organisations under this scenario will be limited, we can expect the Information Commissioner’s Office (ICO) to start paying more attention to firms processing personal data of EU residents.
Scenario 2 – Going it alone
This scenario considers the (increasingly likely) possibility that the UK is unable to agree terms for its withdrawal from the EU (also referred to as a ‘hard brexit’) or that the European Commission does not provide a data protection adequacy decision. In either event, the implications for transferring data from EU organisations (including subsidiaries) to the UK will be significant.
Under this scenario, EU organisations will only be able to transfer data to the UK legally under one of the following circumstances:
- Appropriate safeguards are in place
- Binding corporate rules exist between group members
- General or country specific legal exemptions (derogations) exist.
UK organisations should consider data transfers from EU organisations and validate the lawful basis for processing this data. Most UK organisations will already have experience of identifying and analysing their own processing operations in order to comply with Article 30 of the GDPR.
Where there is a reliance on data transferred from the EU, UK-based organisations should be working with their EU data controllers and processors to establish the effort required to implement the necessary operational, technical or contractual safeguards to meet their legal obligations.
There are positives and negatives surrounding each mechanisms that can be relied upon for the free transfer of data from the EU. Organisations must make plans now that will limit any disruption should the worst-case scenario happen.
In our next blog in this series, we will explore some of these safeguards in more detail, when they are appropriate and how best to implement them.
 The United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as endorsed by leaders at a special meeting of the European Council on 25 November 2018
 Title VII and Articles 70-74