GDPR post no-deal "Brexit"

The UK has published guidelines on data communications with the EU (and EEA) post-no-deal "Brexit" here

This 'guidance' does not mention the obvious fact that after 29.03.19 the UK will no longer be a Member State (whether or not there is a "deal"). As a result of the UK ceasing to be a Member State there will be immediate differences between the GDPR as enacted in Brussels and the Data Protection Act 2018 which purports to exercise derogations which it was permitted to do when a Member State. Such derogations may not survive the UK ceasing to be a Member State and as such may immediately bring about a difference between UK and EU data protection law which can be exploited by aggrieved data subjects (in particular those in the EU) against UK data controllers who rely on such derogations.

Moreover, the EU has made it clear that from 30.03.19 the UK will be a 'Third Country' as far as data transfers from the EU to the UK are concerned.

HMG says that there will be no such constraint for UK data controllers transferring data to the EU.

Therefore, there is a non-reciprocal legal basis for transferring data between the UK and the EU.

Data Controllers should consider taking a 'lowest common denominator' approach to their data policies and business practices so as to minimise the likelihood of falling foul of these differences in the law which will come into effect on 30.03.19.

This particularly applies to organisations (data controllers) whose data flows back and forth between the UK and the EU, even and especially in relation to cloud services, backup storage and day to day business operations.

Any organisation that may be relying on UK purported derogations in relation to their handling of personal data should take legal advice in advance of 29.03.19 to avoid the risk of litigation from aggrieved data subjects in the European courts.