The European Commission issued in November 2018 a communication as to its contingency action plan relating to preparations for the UK’s withdrawal from the EU. In respect of personal data, the Commission has been very clear that there is no intention to adopt an adequacy decision in respect of the UK as part of the contingency planning. An adequacy decision means that data can be freely transferred from the EU to the UK without the need for other safeguards to be put in place by the transferor.
If there is no withdrawal agreement, this means that all EU businesses (and other non-EU businesses that are subject to the GDPR) needing to transfer data to the UK will have to put in place alternative forms of “appropriate safeguard” to allow the transfers within the GDPR with effect from 30th March 2019. The appropriate safeguards would include using the standard contractual clauses or binding corporate rules. The ICO has also recently issued guidance on the effect of leaving the EU without a withdrawal agreement along with a “Six Steps” guide.