Brexit may have an impact on which supervisory data protection authority is competent for one or more of your data processing activities. After Brexit this will depend on whether you perform cross-border processing, and where you are established.
The GDPR identifies two situations for cross-border processing activities:
In case of a cross-border processing, the GDPR’s one-stop shop mechanism will apply, so that one supervisory authority will be competent for that cross-border processing (the lead supervisory authority).
The one-stop shop mechanism applies in case of cross-border processing. It is a cooperation mechanism between national supervisory authorities. It allows organisations involved in cross-border processing to have a single interlocutor for the control of such processing activities.
Cross-border data protection cases typically arise when the processing of personal data takes place in the context of activities of an organisation in more than one EEA Member State. In such situation several supervisory authorities may be competent. To avoid any inconsistencies, one of them should take the lead. This lead authority will have the responsibility of dealing with the organisation regarding its cross-border processing activities.
Upon a no-deal Brexit, the UK’s supervisory authority (the ICO), will be taken out of the one-stop shop mechanism.
Identifying the lead supervisory authority is based on the main establishment of the data controller, which is the place of central administration in the EEA, unless a different branch has the power to take such decision.
The following elements should be taken into consideration to identify the lead supervisory authority:
In most cases, the main establishment will be the central administration, where the decision about the purpose and means of cross-border processing are taken and where the power to implement such decision lies.
This cooperation between national supervisory authorities is one of the means implemented by the GDPR to ensure a coherent interpretation and implementation of the European rules throughout the Union.
If the ICO is currently your supervisory authority, your course of action will vary depending on whether your company has establishments in the EEA. While the ICO has announced that it intends to keep on collaborating with European supervisory authorities, upon Brexit it will no longer be part of the one-stop shop mechanism and will be an independent supervisory authority.
Consequently, you should reconsider which is your lead supervisory authority, or whether you have one at all in the EEA. In the case of a no-deal Brexit, controllers established in the UK will need to consider the following:
If you cannot identify a main establishment in the EEA, you probably will have to designate a representative in the EEA.
If you are a controller and processor without an establishment in the EEA upon a no-deal Brexit, you must designate a representative in the EEA when you process personal data of data subjects who are in the EEA to offer them goods and services or to monitor their behaviour, as far as it takes place in the EEA.
The designated representative must be established in one of the Member States where the data subjects, whose data are processed, are. The representative is mandated to be addressed by data subjects and supervisory authorities for GDPR compliance purposes.
The representative is acting on behalf of the controller or processor established outside of the EEA. He or she can be contacted by the supervisory authority.
The representative must maintain a record of processing activities. The representative must also cooperate with any supervisory authority asking for any information necessary for the performance of its tasks.
This article ends a serie of 6 articles about Brexit:
 Article 29 Data Protection Working Party, WP 244 rev.01, Guidelines for identifying a controller or processor ‘s lead supervisory authority.