Leaving the EU: Brexit and GDPR

10th September 2019

With the deadline for Brexit looming, businesses must be aware of their obligations towards data and need to understand how the flow of their data might be affected by the result of a no deal. Here is a quick overview with some key points that must be addressed by businesses in order to prepare for a no deal scenario.

GDPR will continue to apply to the UK once it leaves the EU, GDPR will be incorporated into UK domestic law as part of the European Union Withdrawal Agreement and will continue to function alongside the Data Protection Act 2018.

However, the biggest challenge of the Brexit process is the prospect of leaving without a deal. The UK government has said that in the event of a ‘No Deal’, it would permit data to flow from the UK to countries in the European Economic Area (EEA); however, it has no control over the flow of data from the EEA to the UK. There will likely be an impact on this flow of information which will add additional workload and pressures to companies who share information across the UK border.

A ‘no deal’ Brexit will impact on the flow of information to and from the UK. Companies must consider alternatives to ensure compliance with GDPR

Every organisation that processes personal data, transfers such data, or has a group entity in the UK will need to put in place measures to ensure compliance.

The Information Commissioner’s Office (ICO), the UK regulator responsible for data protection enforcement, has issued advice to those organisations which rely on EEA data transfers, explaining that alternative transfer mechanisms may be required in the event of a no-deal Brexit. The European Data Protection Board, which replaced the Article 29 Working Party as part of GDPR and compromised representatives from each Member State’s data regulator, has published similar advice to European organisations.

Key steps to prepare for a no-deal

It’s imperative for businesses to understand how data flows within the business and through its third-party suppliers.

  • Maintaining up-to-date records of processing and form a complete list of all data flows to and from the UK
  • Identify and plan for alternative transfer mechanisms
  • Review all data protection notices and amend where necessary. Consider notices that have a blanket statement such as ‘No personal data will be transferred out of the EU/EEA’.
  • Consider updates required to Data Protection Impact Assessments
  • Ensure only the correct people have access to data

Following the steps above, organisations can be better prepared to comply to the data regulations in the even of a no deal.

View More Articles