16th January 2019


by: Admin


Categories: News

Brexit and Data Protection

What is the Current Position and How Do You Prepare Your Business for the Changes?

What steps should you be considering?

With Teresa May’s Brexit Deal being rejected on 15th January 2019 by the House of Commons (by an unprecedented majority of 432 to 202), nobody can predict what will happen regarding Brexit. But whether there will be a new Brexit deal, a no-deal or no Brexit, it is wise to give thought as to how you can protect one of your most valuable and most vulnerable business assets – your personal data.


If the UK leaves the European Union, it will be considered a “third country”. This means that UK businesses and organisations will no longer be part of the EU Digital Single Market and personal data will no longer flow freely between the EU/European Economic Area (EEA) and the UK. Any service or product-oriented business is heavily reliant on data, and any restrictions placed on the data flows will disrupt business and put a barrier on trade. We cannot predict the exact implications of this at this time, but we can understand and prepare for the different possible scenarios.

The Brexit deal that was recently rejected by MPs on 15 January 2019, provided that there were to be essentially be no changes during the transition period (29 March 2019 to 31 December 2020), and that personal data  could continue to be transferred freely in both directions. This deal is currently under review, and a further draft is anticipated early next week. It is not clear whether or not any amendments will impact on the topic of data protection at the time of writing, although this seems unlikely.

During the transition period, the UK would seek to obtain an adequacy decision from the EU, showing that they provide an adequate level of protection for personal data to enable it to continue to flow at the end of the transition period. The EU has already indicated that an adequacy decision is not, by any means guaranteed, pointing at recent UK Acts that allow security services a handling of personal data that might not be in line with EU law (such as the Investigatory Powers Act 2016 and Data Protection Act 2018).

So what happens without an adequacy decision or even without a Brexit deal?

The UK has declared that they will continue to allow the transfer of personal data to the EU in order to ensure a minimum of disruption. This policy will be kept under review. The transfer of personal data from the EEA into the UK is another issue. The UK will be considered a third country, and, in the absence of an adequacy decision, any transfer would only be permitted subject to additional safeguards. Individual businesses would need to use of other means, such as the use of Standard Contractual Clauses (SCC), which have been approved by the European Commission. Other safeguards are binding corporate rules, which only apply in the case of big multinational corporations, or specific exemptions listed in the GDPR (Art. 49), such as:

– explicit consent,

– performance of a contract or implementation of pre-contractual measures,

-important reasons of public interest, the establishment or defence of legal claims,

-important reasons of public interest, the establishment or defence of legal claims,

-to protect the vital interest of the data subject,

-if the transfer is from a public register or

– in specific circumstances where it is a non-repetitive transfer concerning a limited number of data subjects.

What does that mean for my business?

Depending on your flow of personal data and depending on what will happen regarding Brexit, you will need to assess whether your business needs to take steps to support the continued processing of EEA citizen’s personal data in the course of your business. You need to have a crystal-clear understanding of your personal data flows as well as the market that you target. Do you rely on transfers of personal data to the EEA and back?

Do you use servers or service providers in the EEA? Do you target or monitor individual customers in the EEA? If so, you might need to start thinking about using SCC’s, which are available on the ICO website. More guidance to the question, whether you need to use SCC’s can be found on the ICO website: https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/.

You might also need to update your privacy notice and other policies as well as contractual documents, such as your terms and conditions. In some cases, it will be necessary to appoint an EEA- based representative as a point of contact for the EU data protection authorities.

We understand that Brexit ignites numerous questions and uncertainties. In order to secure your business relations uninterrupted and compliant with data protection legislation, we are here to help you. Take the first step by calling us on 01343 813 745 to arrange to speak with one of our consultants, who will be delighted to provide you with advice.