On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here.
At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally and binding corporate rules lead supervisory authorities (BCR lead).
Data transfers in the event of a no-deal Brexit
The guidance is separated into three distinct sections.
Preparation for transfers of data from the EEA to the UK
The EDPB sets out five steps for businesses to take in advance of Brexit. Businesses who transfer data from the European Economic Area (EEA) to the United Kingdom (UK) should start preparing now. To prepare, the EDPB suggests the following:
I. Identify the processing activities that require the transfer of personal data
II. Determine the data transfer mechanism that is most appropriate on the facts
III. Prepare the relevant transfer mechanism in advance of 30 March 2019
IV. Indicate in internal documents that you will be transferring data to the UK
V. Update your privacy notices accordingly.