🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: what will be the consequences of Brexit in the event of a "no deal"?

Home News GDPR: what will be the consequences of Brexit in the event of a "no deal"?

The date of October 31 is getting closer, and the possibility of an agreement between the EU and the United Kingdom is getting further and further away. What will be the consequences of Brexit on personal data flows (GDPR) between the EU and the United Kingdom in the event of "no deal" ? Don't panic, we'll tell you everything.

 If this no-deal Brexit is confirmed, EU data controllers and subcontractors will have to ensure a sufficient and appropriate level of protection to transfer data to the United Kingdom from the 1ster november 2019. Indeed, the country will not be considered an adequate country regarding the protection of personal data until the European Commission recognizes it as such on the basis of Article 45 of the GDPR.

 Unsurprisingly, you will be affected by this "no deal" as soon as you make data transfers to the UK from the 1ster november 2019. For those who are behind in the fund, the GDPR provides for a specific regime applicable to transfers outside the European Union. Thus, tools can be put in place to continue these data flows.

Anticipate the consequences of Brexit in the absence of an agreement on GDPR

Among the tools proposed to anticipate the consequences of Brexit in the absence of an agreement, we can find:

  • Standard contractual clauses : these are models of data transfer contracts adopted by the European Commission. These are tools considered ready to use and you can find them directly on the CNIL website 
  • Specific contractual clauses known as "ad-hoc", these are contracts which make it possible to regulate data transfers in specific situations where the standard clauses require modification. They must be previously authorized by the CNIL after the opinion of the European Committee on Data Protection (EDPS).
  • Binding corporate rules (or Binding Corporate Rules): this is an intra-group data protection policy. They are binding and must be respected by the signatory entities, regardless of where they are located. You will find information for implementing such rules on the CNIL website.
  • Codes of conduct and certification mechanisms : these tools must, however, include the binding and enforceable commitment made by non-EU recipients to apply these provisions. Once again, they must be authorized by the CNIL after advice from the CEPB. These are new tools introduced by the GDPR and the CEPB is currently working on guidelines and recommendations.

Article to read: GDPR fine: what is their number since the text came into force? 

What are the steps to follow to ensure your GDPR compliance in the event of Brexit?

The CNIL has published a list of steps to follow to prepare for the consequences of Brexit in the event of "no deal", following the recommendations of the European Data Protection Supervisor:

  •  You must identify processing activities constituting a transfer of personal data to the UK
  •  Determine tools adequate transfers and put them in place before the 1ster november 2019
  •  Update the processing register in order to register transfers to the UK
  •  Inform data subjects to inform them that a data transfer exists

Maintaining and accuracy of the processing register is therefore essential to anticipate this no-deal Brexit, in order to have a clear vision of the data processing carried out by the company and put in place appropriate measures.

Finally, regarding data sent from the United Kingdom to the European Union, the situation remains unchanged and the free movement of data will be permitted without the need for additional guarantees.

Other articles
on the same subject