What you should do when transferring people’s personal data between organisations in the UK and EEA to get ready for a no-deal Brexit.
Stay up to date
Get ready for Brexit on 31 October 2019. This page tells you how to prepare for Brexit. It will be updated if anything changes, including if a deal is agreed.
Sign up for email alerts to get the latest information.
This information is for UK businesses and organisations that:
- receive personal data from organisations abroad, including the European Economic Area (EEA), which includes the EU
- operate in the EEA
Data protection and GDPR
Organisations that already comply with The General Data Protection Regulation (GDPR) will still need to take action if they receive personal data from the EEA.
There will be no immediate change to the UK’s data protection standards. GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection.
What personal data is
Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.
An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.
What you need to do now
You should review your contracts and include Standard Contractual Clauses (SCC) or other legal safeguards where necessary. This will allow you to continue legally receiving personal data from EEA countries.
Organisations that are part of a multinational group may be able to rely on binding corporate rules (BCRs) to transfer personal data within their group.
Check the ICO website to see the actions your organisation needs to take to get ready for Brexit.
What happens if you do not act
If you do not act, your organisation may lose access to personal data it needs to operate.
Sending personal data from the UK to the EEA
You do not need to do anything now to continue sending personal data out of the UK to the EEA after Brexit. UK organisations will still be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU.