5 February 2019
Guidance to help businesses comply with data protection law after the EU exit date if there is no deal
The UK Information Commissioner's Office (ICO) has published new resources to help businesses comply with data protection laws in case of a no-deal Brexit.
These resources include:
- a short 'six steps to take' checklist
- a detailed guide on data protection if there's no Brexit deal
- a selection of frequently asked questions on information rights and Brexit
You should carefully consider this guidance if:
- your business operates in the European Economic Area (EEA)
- you send personal data outside the UK
- you receive personal data from the EEA, including the European Union (EU)
If you only operate within the UK
For businesses that only share data within the UK, there is 'no substantive change' to the data protection rules. After exit, you will have to continue to comply with the General Data Protection Regulation, which the UK government plans to incorporate into domestic UK law.
If you operate in the EEA
If you are a UK business with headquarters in the UK but with operations in the EU, and you process personal data across EU/EEA borders, you might need to deal with a lead supervisory authority in the EU. Find out more about lead data protection authorities.
If you are a UK business that offers goods or services in the EEA, or monitors the behaviour of EEA subjects, but will not have an established presence in an EU or EEA state after 29 March 2019, you may need to employ a European representative. Find out more about European representatives.
In both of these scenarios, you will need to comply with both the UK data protection regime (including the Data Protection Act 2018) and the EU regime after the UK exits the EU.
If you transfer data from the UK to the EEA
Should the UK leave the EU without a withdrawal agreement, the UK government intends to permit data to flow freely from the UK to the EEA countries. You should review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.
If you transfer data from the EEA to the UK
In the absence of an agreement, the flow of personal data from the EEA to the UK is likely to be affected. The UK would effectively become a 'third country' for the purposes of data transfer, which would make UK businesses subject to the strict rules on international transfers of personal data.
Your business may need to make changes to ensure that you put appropriate GDPR safeguards in place and that you can continue to lawfully exchange personal data with partners in the EEA after Brexit. One of these changes may involve putting in place Standard Contractual Clauses between your business and organisations outside the UK.
The ICO has produced a straightforward interactive guide to take you through that process and to help you decide if Standard Contractual Clauses are relevant to your business.
In addition to the ICO's guidance and tools, you may wish to read the UK government's notice on the amendments to UK data protection law in the event of a no-deal Brexit.