With the end of October looming we are in the unusual position of not knowing exactly what the law will be next month. Will it be business as usual or will there be fundamental changes as a result of a no-deal Brexit?
From a data protection standpoint, there are things we do know. We know that the UK will adopt a parallel version of the GDPR. We also know that many UK business will additionally have to comply with the EU GDPR, because they will fall within the existing extra-territorial provisions of Article 3 of the GDPR (which applies the rules to organisations outside of the EU, as we will be).
Where this matters most is when a UK organisation imports personal data from the EEA (European Economic Area). The EU has a list of countries outside the EEA which have been deemed to offer "adequate protection" for personal data, but the UK isn't on that list. The UK can't be listed at the moment as we're not yet outside the EEA, and negotiations about whether or not the UK will be listed will not start until we do leave. If there is a deal and a transition period this can be worked on then, but in a no-deal scenario the UK will not be deemed a safe jurisdiction immediately (despite having fully implemented GDPR). Special measures will therefore need to be implemented by organisations wanting to send personal data from the EEA to the UK. It's likely that this will need to be addressed by the use of the EU approved Standard Contractual Clauses, which will need to be put in place between the European exporters and British importers of personal data.
Also, where a British company doesn't have an office in the EEA, but offers goods or services to individuals in the EEA (or monitors the behaviour of individuals in the EEA) it will need to appoint a formal Representative in the EEA.
The Government has produced a number of guidance notes. You might like to familiarise yourselves with them and take steps to prepare. In the meantime if there's anything you would like to discuss relating to Brexit and your organisation (or indeed in relation to data protection generally) please do get in touch.
https://www.gov.uk/guidance/using-personal-data-after-brexit#what-we-mean-by-receiving-personal-dataIf your organisation receives personal data from the EU/EEA, you should review your contracts and, where absent, include Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM) to ensure that you can continue to legally receive personal data from the EU/EEA.