© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/data-protection-eu-exit-guidance/leaving-the-eu-without-a-deal-6-steps-to-take
In the event that the UK leaves the EU on 29 March 2019 without a deal, UK businesses will need to ensure they continue to be compliant with data protection law. For UK businesses that operate only within the UK there will be no immediate change. For UK businesses that operate internationally or exchange personal data with partners in other countries there may be changes that need to be made ahead of the UK leaving the EU to ensure minimal risk of disruption.
It is important for businesses to review whether they would be affected. For those that would be affected, early action is advised as changes may take some time to implement.
This guidance from the Information Commissioner’s Office (ICO) sets out in six steps what your business should be doing to be prepared for EU exit. Further information and resources on EU exit can be found on the ICO website.
1.Continue to comply
Continue to apply GDPR standards and follow current ICO guidance. If you have a Data Protection Officer, they can continue in the same role for both the UK and Europe.
2.Transfers to the UK
Review your data flows and identify where you receive data into the UK from the European Economic Area (EEA). Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU. Standard contractual clauses are one such GDPR safeguard, the ICO have produced an interactive tool to help businesses understand and complete standard contractual clauses.
3.Transfers from the UK
Review your data flows and identify where you transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions.
If you operate across Europe, review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.
Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.
Make sure key people in your organisation are aware of these key issues. Include these steps in any planning for leaving the EU, and keep up to date with the latest information and guidance.
For the full guidance please visit the ICO website.