Brexit: Data Protection After 29 March

Guidance to help businesses comply with data protection law after 29 March

The UK Information Commissioner’s Office (ICO) has published new resources to help businesses comply with data protection laws in case of a no-deal Brexit.

These resources include:

You should carefully consider this guidance if:

  • your business operates in the European Economic Area (EEA)
  • you send personal data outside the UK
  • you receive personal data from the EEA, including the European Union (EU)

If you only operate within the UK
For businesses that only share data within the UK, there will be ‘no substantive change’ to the data protection rules. After exit, you will have to continue to comply with the General Data Protection Regulation, which the UK government intends to incorporate into domestic UK law.

If you operate in the EEA
If you operate in the EEA, you may need to comply with both the UK data protection regime (including the Data Protection Act 2018) and the EU regime after the UK exits the EU.

If you transfer data to and from the EEA 
Should the UK leave the EU without a withdrawal agreement, the UK government intends to permit data to flow freely from the UK to the EEA countries.

However, in absence of an agreement, the flow of personal data from the EEA to the UK is likely to be affected. The UK would effectively become a ‘third country’ for the purposes of data transfer, which would make UK businesses subject to the strict rules on international transfers of personal data.

Your business may need to make changes to ensure that you can continue to lawfully exchange personal data with partners in the EEA after Brexit. One of these changes may involve putting in place Standard Contractual Clauses between your business and organisations outside the UK.

The ICO has produced a straightforward interactive guide to take you through that process and to help you decide if Standard Contractual Clauses are relevant to your business.

In addition to the ICO’s guidance and tools, you may wish to read the UK government’s notice on the amendments to UK data protection law in the event of a no-deal Brexit.