For large companies that have just completed writing and implementing their GDPR policies, one of the major upsides is they don’t have to wrestle with new data regulations for some time. Unfortunately, there is a threat to the harmony that GDPR has brought to data protection officers around the country - Article 50. It turns out, while everyone was focused on GDPR fines and 72 hour breach notifications, on the 9th January 2018 the European Commission published a notice to stakeholders confirming that, post-Brexit, the UK will become a “third country” which may impact personal data transfers from the EU to the UK. It also means the UK’s “adequacy” for EU Data Protection law purposes is not an automatic right and is a matter for decision by the European Commission.
Even if an adequacy decision is not granted, there are other mechanisms for British firms to continue to keep data flowing, but these aren’t going to be as a simple process as if adequacy is granted. There are a lot of reasons to think that this wouldn’t be a problem - the UK will be GDPR compliant at the point of Brexit, the ICO is well funded and run etc. However there have been sticking points, such as the Investigatory Powers Act (IPA) which was deemed in breach of EU data protection law by the European Court of Justice (ECJ) in 2016. While the government has subsequently tweaked the IPA, it’s not clear whether those changes would stand up to a second round of scrutiny from the ECJ.
Whilst it is unlikely, there is the possibility of UK companies being caught out on March 2019 if the country ends up with a no-deal or Hard Brexit. Most companies that use cloud services (SaaS, IaaS etc) are not aware of where their data is physically being stored and this is something they should look into in the run up to Brexit. 4D Data Centres has written an in-depth Whitepaper on this subject called “The Cloud on the Ground” which can be downloaded here.