Guidance

Using personal data in your business or organisation if there’s no Brexit deal

What you should do when sharing personal data across borders in your business or organisation if there’s no Brexit deal

Stay up to date

The UK will leave the EU on 31 October. This page tells you how to prepare for Brexit. It will be updated if anything changes, including if a deal is agreed.

Sign up for email alerts to get the latest information.

This information is particularly relevant to UK businesses and organisations which:

  • Receive personal data from international partners including the EEA
  • Operate in the European Economic Area (the EEA), which includes the EU

What we mean by receiving personal data

Personal data is any information that can be used to identify a living individual, including their name, their physical or IP address, or HR data such as staff working hours and payroll details. Personal data is regularly used in the daily running of organisations: HR, sales, purchasing, marketing. Your organisation almost certainly uses personal data in its daily operations and if you can’t access it that may disrupt your work.

An example of receiving personal data from an international partner would be a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

What you need to do before a no-deal Brexit

If your organisation receives personal data from the EU/EEA, you should review your contracts and, where absent, include Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM) to ensure that you can continue to legally receive personal data from the EU/EEA.

Businesses that are part of a multinational group may be able to rely on binding corporate rules (BCRs), for intra-group transfers as an appropriate safeguard.

To help determine whether this is right for you, refer to the ICO’s Do I need to use standard contractual clauses for transfers from the EEA to the UK? Tool.

There may be additional actions that some organisations need to take. The Information Commissioner’s Office (ICO) has further guidance your business or organisation should follow to prepare for Brexit.

For most organisations, especially SMEs, taking the required action isn’t highly costly and doesn’t always require specialist advice. The ICO have built a handy tool to help you understand what to do.

What happens if you don’t act

If you fail to act, your organisation may lose access to personal data it needs to operate. Consult the guidance and review your contracts to ensure your organisation can continue receiving personal data from the EU/EEA.

Where you don’t need to act - sending personal data from the UK to the EEA

UK businesses and organisations will continue to be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU.

There is no need to take preparatory action to continue sending personal data out of the UK to the EU/EEA.

Data protection law if there’s no Brexit deal

If the UK leaves the EU without a deal, UK businesses and organisations will still need to be compliant with data protection law.

There will be no immediate change to the UK’s data protection standards. The General Data Protection Regulation (GDPR) will be brought into UK law and the Information Commissioner would remain the UK’s independent supervisory authority on data protection.

Published 6 February 2019