The government issued, on 13 December, a technical note that complements the ICO’s guidance of the future data protection regime in case of a Brexit no-deal.
The government says it is committed to ensure the UK data protection framework continues to operate effectively when the UK is no longer in the EU. It intends to issue regulations and more detailed guidance in the coming weeks ‘to make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EU Withdrawal Agreement.’ The vast majority of the changes will involve removing references to EU institutions and procedures that will not be directly relevant when the UK is outside the EU.
The new regulations will confirm that the GDPR will remain valid in the UK, and the UK will transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue, and preserve the effect of existing EU adequacy decisions, including the EU-US Privacy Shield, on a transitional basis.
EU Standard Contractual Clauses will remain valid as well as Binding Corporate Rules authorised before Exit day. The government says it will also maintain the extraterritorial scope of the UK data protection framework, and oblige non-UK controllers who are subject to the UK data protection framework to appoint a representative in the UK if they are processing UK data on a large scale.
See the government’s guidance.