Using personal data after Brexit

When the UK leaves the EU there may be changes to the rules governing the use of personal data.

This will affect your business if you:

  • operate internationally
  • exchange personal data with business partners in other countries

What is personal data

Personal data refers to any information that can be used to identify a living individual, including their name, their physical or IP address, or HR functions such as staff working hours and payroll details.

An example of an international exchange of personal data would be a UK company that receives customer information from an EU company, such as names and addresses, in order to provide goods or services.

How this will affect your business if there’s a deal

The implementation period will mean data controllers see no immediate change in their day-to-day obligations.

Personal data will be able to flow freely from the UK to the EU and from the EU to the UK during the implementation period.

As set out in the Political Declaration, the EU will begin its assessment of the UK as soon as possible after the UK’s withdrawal, endeavouring to adopt an adequacy decision (which would allow the continued free flow of personal data from the EU to the UK) by the end of the implementation period.

How this will affect your business if there’s no deal

UK businesses will need to ensure they continue to be compliant with data protection law.

There will be no immediate change to the UK’s data protection standards. The General Data Protection Regulation (GDPR) would be brought into UK law and the Information Commissioner would remain the UK’s independent supervisory authority on data protection.

UK businesses will continue to be able to send personal data from the UK to the EU. In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU (including EEA).

There will be a change to the way data is shared from the EU to the UK. While we would like the European Commission to adopt an adequacy decision with respect of the UK as soon as possible we do not expect an adequacy decision to have been made at the point of exit in March 2019.

What your business needs to do now

The Information Commissioner’s Office (ICO) has set out 6 steps your business should take to prepare for EU exit in a no deal scenario. Early action is advised as changes may take some time to implement.

  1. Continue to apply GDPR standards and follow current ICO guidance. Your Data Protection Officer can continue in the same role for both the UK and Europe.

  2. Identify where you receive data into the UK from the European Economic Area (EEA). Consult ICO guidance and think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU. Standard contractual clauses are one such GDPR safeguard, the ICO have produced an interactive tool to help businesses understand and complete standard contractual clauses.

  3. Identify where you transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions.

  4. Review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.

  5. Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.

  6. Inform your organisation. Make sure that key people in your organisation are aware of these key issues. Include these steps in any planning for leaving the EU, and keep up to date with the latest information and guidance.

Consider professional advice on how these arrangements could affect your business. The information provided here is meant for guidance only. The government is unable to comment on individual cases, and it is in the interest of UK organisations to review their data flows, and seek bespoke guidance where necessary or relevant.

What will happen after the UK leaves the EU

Arrangements to ensure the protection and free flow of personal data will underpin the economic partnership, as well as the security partnership.

The UK and the EU have also agreed to make arrangements for cooperation between the UK’s Information Commissioner’s Office (ICO) and the EU Data Protection Authorities.

Further information

ICOs guidance for organisations on data protection after Brexit

Data protection if there’s no Brexit deal

Published 6 February 2019