- 04 Feb 2019
- Philip Nabben
The British government has already announced that it will allow the flow of personal data from the UK to EU countries, but the UK government does not control the flow of EU personal data to the UK. Strictly speaking, personal data can following the Brexit not simply be transferred from EU countries to the UK without further additional agreements because after the Brexit, the UK no longer falls under the scope of the GDPR and the UK has not (yet) been included on the list of the European Union of countries with an adequate level of protection (a list to which Japan has, by the way, very recently been added.
The British privacy watchdog ICO has published an online '6-step plan' for UK businesses to help them understand the consequences of a 'no-deal' Brexit and for these businesses to take measures if necessary. For the sake of security, there will be companies considering to make use of the EU Standard Contractual Clauses between their Dutch entities and those in the UK, in order to make the exchange of personal data GDPR-compliant even in the upcoming uncertain times. This is a relatively cheap and fast method.
The Dutch Data Protection Authority has not yet commented on the (post) Brexit (enforcement), but stated last December that it would do so 'early 2019'. The privacy team of BDA will of course monitor this closely and publish an update as soon as new developments take place.