The General Data Protection Regulation (GDPR) restricts the transfer of personal data outside the European Union. The restrictions may affect a broad range of businesses including those using, for example, online IT services, cloud-based services, remote access services or global HR databases.
Conditions for cross-border transfers
Under current regulations, transfer of personal data into a non-EU country or territory is possible if:
- the recipient's country is deemed to provide an adequate level of data protection - see GDPR adequate countries list
- you put in place appropriate safeguards before exporting your data
- standard contractual clauses apply - see more on model clauses
- binding corporate rules (BCRs) apply and are approved - see more on BCRs
- you adhere to approved industry codes of conduct and certification schemes
- ad hoc safeguards apply
- a specific derogation applies
In a no-deal Brexit scenario, UK businesses may need to rely on one of these mechanisms in order to continue lawfully transferring personal data from the EU into the UK. The flow of data from the UK into the EU is expected to remain unaffected.
Data transfer derogations
Specific exemptions, or derogations, for data transfers apply when:
- the data subject explicitly consents to the transfer (and is aware of the risks)
- the transfer is needed for the performance of a contract
- the transfer is deemed necessary for reasons of public interest
- the transfer is necessary in relation to a legal claim
- the transfer is necessary to protect the data subject's vital interests (eg their life)
- the transfer is made from a public register established by law in the European Union or a member state
- the transfer is necessary for the 'legitimate interests' of the data controller
Find more information on international data transfers under the GDPR.
Problems accessing personal data from outside the UK
To mitigate against the possible cross-border transfer restrictions, you should:
- consider the impact of Brexit on the flow of personal data in and out of your business
- establish clear rules for data processing throughout the supply chain
- carry out due diligence and negotiate compliant data sharing / processor agreements
- incorporate EU model clauses if appropriate
- identify appropriate safeguards that would allow you to continue transfer data across the EEA borders
Find ICO's data protection and Brexit resources to help you prepare for data compliance after Brexit.
Data processing contracts
Whether the transfer takes place within or outside Europe, the rules on sharing data with other organisations (eg suppliers) are stringent. This is also the case if you share data with processors.
Under the GDPR, data controllers can only work with data processors if they can provide sufficient guarantees that they meet the regulation's requirements.
The GDPR sets out specific terms that you must include in your contract with a data processer, if you give them access to personal data. These terms should ensure that the processor:
- processes only the personal data on your documented instructions
- gets your written consent before engaging any sub-processors
- ensures that only authorised personnel (subject to confidentiality) can access the data
- deletes or returns all personal data upon completion of the processing
- takes all appropriate technical and organisational measures to ensure compliance with the GDPR obligations
- makes available all information necessary to demonstrate compliance
- cooperates fully with audits, inspections, and similar actions
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.