Winning with data protection really does require you to keep one eye on the ‘big picture’. Sometimes the best way of doing that is literally with a big picture. Have a look at this one I’ve used it a lot - it might help you too.
At the end of the Brexit transition period the UK will have some new obligations, regardless of the adequacy decision. One of these is the requirement for UK controllers to appoint a representative based inside the EU.
Accountability is one of the core principles of GDPR, but means different things to different people. It’s also moving goal posts for exec teams who want assurance that the principle is being met. Some help might be at hand from some ICO guidance on the subject.
In November 2019 one of the German states data protection authorities (Berliner Beauftragte für Datenschutz und Informationsfreiheit - BlnBDI) issued a €14.5 million fine to Deutsche Wohnen, a German housing company, for a breach of data protection legislation.
One important, but often overlooked introduction of GDPR was the right for data subjects to claim compensation for a breach even where there is no demonstrable material loss. These costs are significantly more likely to be incurred by a data controller than a penalty from a statutory body and they can be very significant.
If you move personal information between the UK and other EU countries then a no-deal Brexit will have immediate implications for the legality of this processing. Without preparation a legitimate, or malicious challenge from a data subject could generate avoidable hassle and costs.