At present, businesses can freely transfer personal data between Britain and Ireland as both countries are members of the EU. When personal data leaves the EU, the information is considered to have been sent to a "third country". When the UK leaves the EU the UK and Northern Ireland will be considered third country similar to the US.
GDPR requires companies that transfer personal data to a recipient in a ‘third country’ to put in place a transfer mechanism such as the standard contractual clauses (SCCs), in order to lawfully transfer personal data to that non-EEA recipient.
Whilst the UK intends to seek an adequacy decision from the European Commission recognising the UK’s data protection regime as essentially equivalent to those in the EU, an adequacy decision will not be in place before the UK leaves the EU. The European Commission has made it clear that a decision on adequacy cannot be taken until the UK is a third country.
In preparation for this your organisation should start taking the following steps:
- Map the personal data currently being transferred to the UK.
- Determine if the transfers will need to continue beyond end of March 2019
- Consider which transfer mechanism best suits the situation and work towards having it in place by the end of March 2019.
More detail here on the Data Protection Commission website
Be Brexit ready.