Using personal data in your business or organisation and Brexit

What you should do when transferring people’s personal data between organisations in the UK and EEA to get ready for a no-deal Brexit.

Stay up to date

The UK is leaving the EU. This page tells you how to prepare for Brexit and will be updated if anything changes.

Sign up for email alerts to get the latest information.

This information is for UK businesses and organisations that:

  • receive personal data from organisations abroad, including the European Economic Area (EEA), which includes the EU
  • operate in the EEA

Data protection and GDPR

Organisations that already comply with The General Data Protection Regulation (GDPR) will still need to take action if they receive personal data from the EEA.

There will be no immediate change to the UK’s data protection standards. GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection.

What personal data is

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

What you need to do now

You should review your contracts and include Standard Contractual Clauses (SCC) or other legal safeguards where necessary. This will allow you to continue legally receiving personal data from EEA countries.

Organisations that are part of a multinational group may be able to rely on binding corporate rules (BCRs) to transfer personal data within their group.

Check the ICO website to see the actions your organisation needs to take to get ready for Brexit. Or call the ICO helpline on 0303 123 1113 for further information (open Monday - Friday).

What happens if you do not act

If you do not act, your organisation may lose access to personal data it needs to operate.

Sending personal data from the UK to the EEA

You do not need to do anything now to continue sending personal data out of the UK to the EEA after Brexit. UK organisations will still be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU.

Published 6 February 2019