2 October 2019
Guidance to help businesses comply with data protection law after the EU exit
The UK Information Commissioner's Office (ICO) has a range of resources to help businesses comply with data protection laws in case of a no-deal Brexit.
These resources include:
- a short 'Ready? Set...GO!' video tutorial
- guidance for SMEs on how to prepare for a no-deal Brexit
- guidance for large businesses and organisations, and data protection specialists
- selection of frequently asked questions on information rights and Brexit
These resources are designed to help UK businesses and organisations keep personal data flowing with Europe after Brexit.
Data protection and no-deal Brexit
If the UK leaves the European Union (EU) without a deal, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same.
The UK is committed to maintaining the high standards of the General Data Protection Regulation (GDPR) and the government plans to incorporate it into UK law after Brexit.
If you only operate within the UK
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the European Economic Area (EEA), you do not need to do much more to prepare for data protection compliance after Brexit.
If you operate in the UK but transfer data to and from the EEA
If you are a UK business who send or receive data from contacts or customers in the EEA, you may need to take extra steps to ensure that the data can continue to flow after Brexit:
- If you send data from the UK to the EEA, you will still be able to do so. The UK government has stated that transfers to the EEA will not be restricted.
- If you receive data from the EEA to the UK, you will need to comply with EU data protection laws. In a no-deal Brexit, UK will become a 'third country' on exit day and subject to strict EU transfer rules. Review your privacy information and documentation to identify any changes that you may need to make to continue to receive these transfers lawfully after exit date. For most businesses and organisations, SCCs (Standard Contractual Clauses) will be the best way to keep data flowing to the UK if the UK exits the EU without a deal.
The ICO has produced a simple interactive tool to help you keep data flowing from the EEA to the UK, if the UK leaves the EU without a deal.
If you operate in the EEA
If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may need to designate a representative in the EEA.
If you transfer data to and from countries outside Europe
Rules for sharing data with countries outside the EEA will remain similar. At this stage, you don't need to take any extra steps. The UK government has confirmed that there will be transitional provisions to recognise existing EU adequacy decisions and EU-approved transfer safeguards.