You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR
  5. Data protection and no-deal Brexit

Data protection and no-deal Brexit

3 October 2019

If the UK leaves the EU without a withdrawal agreement, the UK becomes a ‘third country’ under GDPR. Data protection rules for UK organisations may change. This guide considers the steps you should take to comply with UK data protection laws and GDPR.

Preparing for no-deal Brexit

When preparing your organisation for data protection if there’s no withdrawal agreement, you should follow these steps.

Review your data flows

You’ll need to check how your organisation transfers data across borders:

  • from the UK to the EU
  • from the EU to the UK and out of the UK again to other ‘third countries’ (in particular where you have contracts that prohibit data transfers outside of the EU)

Make sure there will be no interruptions in your data flows.

Continue applying GDPR standards

Although the UK will no longer be in the EU, the UK plans to incorporate GDPR rules into UK legislation. This means you should:

Continue to comply with Data Protection Act 2018

Make sure your UK data processes comply with the Data Protection Act 2018 which will continue in force.

Data protection officers

Data protection officers (DPOs) should continue their role. They can combine any future UK and EU responsibilities if they:

  • have expert knowledge of both UK data protection law and EU rules
  • are easily accessible from both the UK and EU

Show efforts to comply with data protection rules

You must show efforts to comply with the relevant data protection rules after Brexit. You should:

  • use proportionate and reasonable resources to identify any risk with international data transfers
  • reduce that risk with safeguards that suit your organisation’s needs

Safeguards include:

Support this with the right governance, internal controls and staff training.

Review your privacy policy

You should review your privacy policies so that it’s clear how personal data moves within and outside of the UK.

Where you have European operations

Where you have European operations review:

  • their structure
  • how they transfer data across borders
  • how rules in the UK and EU will affect them

Transfers of data within the UK

If your organisation only transfers data within the UK you should continue to comply with the Data Protection Act 2018 and any GDPR rules incorporated into UK legislation.

Transfers of data from the UK

To EEA countries

The government has said that when the UK exits the EU, it will not impose restrictions on data transfers from the UK to the EEA.

But organisations based in the UK must still comply with EU GDPR rules if they:

  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA

You may also have to:

  • deal with the ICO
  • deal with European supervisory authorities in every EEA country where people are affected by your activities
  • appoint a representative in those countries
  • update privacy notices to include your representative’s contact details

To countries outside the EEA

You’ll only need to comply with UK data laws if you’re transferring UK data to countries outside the EEA.

Transfers of EU data

To the UK

After Brexit, the UK will become a ‘third country’ under GDPR. You should review your data flows and identify data received from the EEA, including from suppliers and processors.

With an adequacy decision

If the EU grants the UK an ‘adequacy decision’, recognising that UK law provides equivalent protection to GDPR, organisations can continue to transfer data to the UK in the same way as before.

No adequacy decision

Where there is no ‘adequacy decision’, you may still comply with EU law by using safeguards, such as:

  • SCCs – the ICO interactive tool can help you decide if these apply to you
  • BCRs for multinational organisations
  • Approved Codes of Practice (ACOPs)

Relying on consents

It’s not clear if UK organisations processing EU data will be able to rely on consents given while the UK was in the EU. To be sure, you should:

  • consider getting consent again
  • make sure consent covers the transfer of personal data to countries outside the EEA

Between third countries (including UK)

Adequacy decision

If the EU grants the UK an ‘adequacy decision’, rules on data transfers between third countries are likely to remain similar to those in place before the UK leaves the EU.

No adequacy decision

If there is no ‘adequacy decision’ organisations transferring EU personal data between third countries should consider:

  • using a new mechanism for those transfers, such as SCCs, BCRs or approved codes of conduct (APOCs)
  • changing how you transfer data so that it goes directly from an EU country to the non-EEA data importer using an appropriate data transfer mechanism (for example SCCs)

UK organisations with European operations

Complying with GDPR rules

If you have another office in an EEA country, you must comply with:

  • GDPR
  • any variations of privacy law allowed by GDPR in each EEA country

Variations may include:

  • how to report a data breach
  • appointing a data protection officer

One-stop shop supervisory authority

If you’re operating in more than one EU country you only need to work with a single supervisory authority (Lead Supervisory Authority or ‘LSA’) under GDPR, usually the one where your main office is based. If you nominated the ICO as your LSA, after a no-deal Brexit, you’ll need to consider nominating another regulator based in the EU.

Preparing for no-deal Brexit checklist

This checklist gives the steps you can take in preparing for changes to data protection laws that may follow a no-deal Brexit:

  1. Review data flows
  2. Continue to apply GDPR standards
  3. Continue to apply the Data Protection Act 2018
  4. Review DPO duties
  5. Show efforts to comply
  6. Check transfers of data within the UK
  7. Check transfers of data from the UK
  8. Check transfers of EU data
  9. Make sure UK organisations with EU operations comply with GDPR

Resources

No-deal Brexit guidance: data protection – Law Society guidance on the implications of lawful transfers of EU personal data in the UK should the UK leave the EU without reaching an agreement

Brexit and the legal sector – Law Society guidance on preparing for Brexit

International data transfer – webinar covering the movement of personal data across systems, networks and borders

Data protection and no-deal Brexit for small businesses and organisations – ICO guidance and resources

Using personal data in your business or organisation if there’s no Brexit deal – GOV.UK advice on sharing personal data across borders

Data Protection Act 2018

Recommended

key lock
International data transfer

Learn in this one hour webinar more about data transfer, adequacy decisions, EU/US Privacy Shield

International data transfer > More