If the UK leaves the EU without a withdrawal agreement, the UK becomes a ‘third country’ under GDPR. Data protection rules for UK organisations may change. This guide considers the steps you should take to comply with UK data protection laws and GDPR.
Preparing for no-deal Brexit
When preparing your organisation for data protection if there’s no withdrawal agreement, you should follow these steps.
Review your data flows
You’ll need to check how your organisation transfers data across borders:
- from the UK to the EU
- from the EU to the UK and out of the UK again to other ‘third countries’ (in particular where you have contracts that prohibit data transfers outside of the EU)
Make sure there will be no interruptions in your data flows.
Continue applying GDPR standards
Although the UK will no longer be in the EU, the UK plans to incorporate GDPR rules into UK legislation. This means you should:
Continue to comply with Data Protection Act 2018
Make sure your UK data processes comply with the Data Protection Act 2018 which will continue in force.
Data protection officers
Data protection officers (DPOs) should continue their role. They can combine any future UK and EU responsibilities if they:
- have expert knowledge of both UK data protection law and EU rules
- are easily accessible from both the UK and EU
Show efforts to comply with data protection rules
You must show efforts to comply with the relevant data protection rules after Brexit. You should:
- use proportionate and reasonable resources to identify any risk with international data transfers
- reduce that risk with safeguards that suit your organisation’s needs
Support this with the right governance, internal controls and staff training.
You should review your privacy policies so that it’s clear how personal data moves within and outside of the UK.
Where you have European operations
Where you have European operations review:
- their structure
- how they transfer data across borders
- how rules in the UK and EU will affect them
Transfers of data within the UK
If your organisation only transfers data within the UK you should continue to comply with the Data Protection Act 2018 and any GDPR rules incorporated into UK legislation.
Transfers of data from the UK
To EEA countries
The government has said that when the UK exits the EU, it will not impose restrictions on data transfers from the UK to the EEA.
But organisations based in the UK must still comply with EU GDPR rules if they:
- offer goods or services to individuals in the EEA
- monitor the behaviour of individuals in the EEA
You may also have to:
- deal with the ICO
- deal with European supervisory authorities in every EEA country where people are affected by your activities
- appoint a representative in those countries
- update privacy notices to include your representative’s contact details
To countries outside the EEA
You’ll only need to comply with UK data laws if you’re transferring UK data to countries outside the EEA.
Transfers of EU data
To the UK
After Brexit, the UK will become a ‘third country’ under GDPR. You should review your data flows and identify data received from the EEA, including from suppliers and processors.
With an adequacy decision
If the EU grants the UK an ‘adequacy decision’, recognising that UK law provides equivalent protection to GDPR, organisations can continue to transfer data to the UK in the same way as before.
No adequacy decision
Where there is no ‘adequacy decision’, you may still comply with EU law by using safeguards, such as:
- SCCs – the ICO interactive tool can help you decide if these apply to you
- BCRs for multinational organisations
- Approved Codes of Practice (ACOPs)
Relying on consents
It’s not clear if UK organisations processing EU data will be able to rely on consents given while the UK was in the EU. To be sure, you should:
- consider getting consent again
- make sure consent covers the transfer of personal data to countries outside the EEA
Between third countries (including UK)
If the EU grants the UK an ‘adequacy decision’, rules on data transfers between third countries are likely to remain similar to those in place before the UK leaves the EU.
No adequacy decision
If there is no ‘adequacy decision’ organisations transferring EU personal data between third countries should consider:
- using a new mechanism for those transfers, such as SCCs, BCRs or approved codes of conduct (APOCs)
- changing how you transfer data so that it goes directly from an EU country to the non-EEA data importer using an appropriate data transfer mechanism (for example SCCs)
UK organisations with European operations
Complying with GDPR rules
If you have another office in an EEA country, you must comply with:
- any variations of privacy law allowed by GDPR in each EEA country
Variations may include:
- how to report a data breach
- appointing a data protection officer
One-stop shop supervisory authority
If you’re operating in more than one EU country you only need to work with a single supervisory authority (Lead Supervisory Authority or ‘LSA’) under GDPR, usually the one where your main office is based. If you nominated the ICO as your LSA, after a no-deal Brexit, you’ll need to consider nominating another regulator based in the EU.
Preparing for no-deal Brexit checklist
This checklist gives the steps you can take in preparing for changes to data protection laws that may follow a no-deal Brexit:
- Review data flows
- Continue to apply GDPR standards
- Continue to apply the Data Protection Act 2018
- Review DPO duties
- Show efforts to comply
- Check transfers of data within the UK
- Check transfers of data from the UK
- Check transfers of EU data
- Make sure UK organisations with EU operations comply with GDPR
No-deal Brexit guidance: data protection – Law Society guidance on the implications of lawful transfers of EU personal data in the UK should the UK leave the EU without reaching an agreement
Brexit and the legal sector – Law Society guidance on preparing for Brexit
International data transfer – webinar covering the movement of personal data across systems, networks and borders
Data protection and no-deal Brexit for small businesses and organisations – ICO guidance and resources
Using personal data in your business or organisation if there’s no Brexit deal – GOV.UK advice on sharing personal data across borders
Data Protection Act 2018