The short answer is no, depending on the scenario.
While there are many Brexit experts, their views and opinions are not helping when it comes to making business decisions. When it comes to predictions, it might be even better to check the British bookmakers and get a sense of the betting odds if there will be a Brexit or not.
However, we can make a few assumptions when it comes to domain names and the Brexit, let us assume the worst scenario; hard Brexit, as in no deal.
In case of a, no deal Brexit currently slated for March 30th would deem the UK as a third country from a GDPR legal perspective. And it will not come as a surprise for most that the GDPR has a whole set of rules when it comes to data export outside of the EEA, which you can read here.
There is the option that the Commission will issue some kind of emergency legislation which allows for a smaller transition period as it will be only a few months. Which is not a lot but might mitigate some of the issues.
You usually have a set of options to transfer data outside of the EU.
Adequacy decisions, data subject consent, public interest, etc.
With domain names, the options become limited due to various reasons.
The most logical solution is the use of standard contract clauses, sometimes called model clauses.
Nominet and applicable gTLD registries would include these standard contract clauses in their contracts which you as a reseller a solid legal basis when it comes to domain name registrations and transferring data to the UK.
Affected TLDs due to the Brexit
.blog Knock Knock WHOIS There LLC
.bayern Bayern Connect GMBH/MMX
.boston Boston TLD Management LLC /MMX
.bradesco Banco Bradesco S.A./MMX
.gop Republican State Leadership Committee Inc./MMX
.london Dot London Domains Ltd./MMX
.broadway Celebrate Broadway Inc.
And last but not least, .UK and .CO.UK.
In the above scenario where domain name resellers or registrars in the EU register domain names in the UK for their customers who are in scope of the GDPR (art 2&3), there seems to be plenty of time and not much to worry about.
The not so clear scenario
It becomes very complicated when you create scenarios with domain name resellers in the UK also dealing with customers from the EU, registering domain names in China or Russia or the USA using a domain name registrar located in Europe.
It goes beyond the scope of this article to flesh out every scenario to the core or the bone.
A pragmatic approach to deal with this scenario or other scenarios could be mapping each data flow and check what legal basis you have used pre-Brexit.
Did you use EU adequacy decisions as a legal basis, can you still use them?
Was the legal basis consent? Do you need to update such approval?
If Privacy Shield is the legal basis to transfer data to the USA what are the options?
Even with a transition period, there is much ground to be covered. If there will be no transition period options will be very limited.
The when Satan will ice skate to work scenario
If the ICANN EPDP workgroup who are currently struggling with the EU GDPR would recommend that thick whois registries are a thing from the past and no longer there is a need to send personal data to the registry, then there is of course in the case of gTLDs no issue at all, let alone you require a legal basis.
The EPDP team final report is slated for February 1. The ICANN board would have to accept such recommendations and undo a decision they made in 2012 when they decided all registries should operate a thick whois.
Given the divide within the EPDP team, I doubt we will see much solid recommendations, let alone a speedy process of implementation.
For more information and tools on data protection in combination with the Brexit please visit theICO website.