ICO advises companies on how to prepare for a possible no-deal Brexit

The ICO recommends steps that companies could take now to start preparing for data protection compliance if the UK leaves the EU on 29 March 2019 without a deal.

The government has already made clear its intention to permit data to flow from the UK to European Economic Area (EEA) countries, but organisations that have data flows from the EEA to the UK will be affected. For now, the ICO is recommending Standard Contractual Clauses. The ICO will provide further information for the organisations which rely on Binding Corporate Rules to explain how they may be affected.

If the UK is currently your organisation’s lead supervisory authority, you should review the structure of your European operations to assess whether you will continue to be able to have a lead authority and benefit from the One-Stop-Shop, the ICO says.

Organisations will have to deal with both the ICO and the supervisory authority in the other EU or EEA state where they are established, the ICO advises. Organisations should consider now which other EU and EEA supervisory authority will become lead authority on exit date (if any) and approach them closer to the exit date.

On exit, the ICO will not be a supervisory authority for the purposes of the EU GDPR and so will not be an EDPB member. However, the ICO wants to retain a strong relationship with the EDPB after exit, it says.