Brexit: Data protection and EU exit
Guidance to help businesses comply with data protection law after the EU exit
The UK left the EU on 31 January 2020. There is now a transition period until 31 December 2020 while the UK and EU negotiate additional arrangements. The current rules will continue to apply during the transition period. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review.
The Information Commissioner's Office (ICO) has published guidance to help UK businesses and organisations keep personal data flowing with the EU and the EEA at the end of the transition period.
If the transition period ends before the EU Commission makes an adequacy decision about the UK, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same.
The UK is committed to maintaining the high standards of the GDPR (General Data Protection Regulation) and the government plans to incorporate it into UK law at the end of the transition period.
- If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance at the end of the transition period.
- If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow at the end of the transition period.
- If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations at the end of the transition period. You may need to designate a representative in the EEA.
Use the ICO's guidance below to understand whether you will be affected and to find out how you need to prepare. It also links to additional guidance about how to improve your data protection knowledge and compliance.
Check what you need to do:
- Guidance for UK businesses and organisations who have no contacts or customers in Europe
- Guidance for UK businesses and organisations who send or receive data to or from Europe
- Guidance for UK businesses and organisations with a European presence or with European customers
- Guidance for UK businesses and organisations who send or receive data to or from countries outside Europe
You can also use the ICO's Keep data flowing from the EEA to the UK – interactive tool to help you decide whether standard contractual clauses (SCCs) can help you maintain the flow of data from the EEA to the UK.