How can businesses get ready for Brexit in 2021 and beyond?
Organizations need to prepare for the worst case, that the UK will end the transition period with a ‘third country status’. UK to EU transfers are under UK law, and the UK government has stated that it will remain unaffected. EU to UK transfers will need to prepare for a no-deal future with Standard Contractual Clauses (SCCs) which are EU-approved data protection clauses.
Brexit is highly politicised, and the EU may seek to ensure that the world (and particularly the other EEA countries) see that the UK feels the pain of exiting. My advice to UK businesses who need to process EU subject data is to read up on the derogations for third countries and start bringing in the standard contractual clauses. The ICO has templates available.
For those thinking that the heat is off outside of GDPR, think again. The ICO has the same powers and is demonstrating it’s used through enforcement, and still holds the number 2 spot for the largest GDPR fine (British Airways 2019). Also, the UK is in the top three for data breach notifications to regulators meaning UK citizens are exercising these powers. What we may find being outside of the EEA is the EU supervisory authorities coming after the UK again for political reasons.