There are three possible outcomes for a March 29 Brexit: the UK leaves the EU with terms negotiated with Brussels, the UK leaves the EU with no agreement in place, or the UK asks the EU to extend the March 29 deadline to allow for either a general election or a second referendum.
If on March 30 there is no deal, it will not be possible to transfer personal data freely from the EU to the UK. According to the BEERG Global Labor Newsletter, companies should look into two areas specifically in preparation for this possibility:
- Binding Corporate Rules: BEERG notes, “Businesses which have not already looked at Binding Corporate Rules [which allow companies to make intra-organizational transfers of personal data across borders] as a contingency plan to allow the moving of personal data from the EU to the UK should be talking with their data protection lawyers now about this.”
- Location of company’s data controller: The penalties for breach of the GDPR can run to €20 million—or four percent—of global revenue, whichever is the greater. "Should a company be accused of a breach of the GDPR," the newsletter reads, "the legal action will commence in the jurisdiction in which the data controller is located. If a company is at risk of those levels of fines, better to be in a jurisdiction where the documentation is in English, as would be in any court proceedings. Proceedings for GDPR breaches will be fraught enough without them being in a language which will require interpretation and translation."