You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR
  5. GDPR in practice: Cross-border data flows and Brexit

GDPR in practice: Cross-border data flows and Brexit

19 December 2018

At the time of writing, the UK will be leaving the European Union on 29 March 2019.

Under the draft Withdrawal Agreement between the EU and the UK, EU law will continue to apply to personal data exchanged between the UK and EU before the end of the 21-month implementation (or transition) period.

The government is continuing to prepare for the possibility that we may leave the EU without a deal. One of the issues that law firms and other businesses will need to consider is whether their cross-border data flows are compatible with data protection laws.

Law firms exchanging personal data with countries in the European Economic Area should therefore consider their contingency plans in the event that the UK leaves the EU under a no-deal Brexit and without an agreement that provides for the continued two-way flow of personal data.

Our no-deal guidance on data protection is a good place to start.

The Information Commissioner has now published a Six Steps to Take guide, a data protecction and Brexit blog, detailed guidance, and a series of FAQs.

The key to the Six Steps is to continue to comply with the GDPR and to review your processing operations. The steps can be summarised as:

  • continue to apply GDPR standards and follow current ICO guidance
  • review your data flows and identify where you receive data into the UK from the EEA and identify the safeguards necessary to ensure that such data can continue to flow post-Brexit
  • identify transfers of data to any country outside the UK – these will fall under new UK transfer and documentation provisions
  • if you have European operations review your structure, operations and data flows and assess the impact on relevant data protection regimes
  • review your documentation (for example, what your privacy notices say about international transfers), and
  • maintain organisational awareness of the issue.

Brexit Business Readiness survey

The Department for Digital, Culture, Media and Sport (DCMS) has commissioned KPMG to assess the data protection risk faced by organisations in the event of a ‘no-deal’ EU exit.

KPMG are seeking to conduct an anonymous survey to assess the awareness and high-level risk exposure on organisations from a no deal Brexit scenario. The survey should take no longer than five minutes.

The results will be used to support the government's EU exit contingency planning.

Your input is highly valued as part of this, please complete the survey using the link below.

To access the survey please use the username and password found below. All data shared with DCMS will be anonymised.

Find the survey here


Password: Kpmg1234

New ICO guidance

The Information Commissioner has also published guidance on controllers and processors and, on a more festive note, a blog entitled Sleigh-ing the Christmas GDPR myths.


New frontiers in DP
New frontiers in data protection conference

Half-day conference on 26 September, where expert speakers will explore major DP challenges for solicitors, identify new technology danger spots, practical advice on mitigating risk and more topics of interest.

New frontiers in data protection conference > More