30 October 2019

How to Ensure Data Protection Compliance in a No-deal Brexit

Little time remains before Brexit is set to take place on 31st January 2020. As this date looms closer, it’s crucial now more than ever for your organisation to prepare for a no-deal scenario. Specifically, it’s important to ensure continued compliance with data protection laws, such as the GDPR.

Since the GDPR is an EU regulation, this law would technically no longer be recognised in the UK if a no-deal takes place. As a result, the UK government announced that it intends to write the GDPR into UK law in the event of a no-deal, which will be deemed the ‘UK GDPR’.

At a glance, the key principles, rights and obligations of the original GDPR will remain the same in the UK GDPR. However, a no-deal could require organisations to adjust international data operations between the UK and the EU or EEA. Use this guidance to remain compliant with data protection laws in the event of a no-deal.

International Data Transfers

If you are a UK-based organisation that transfers personal data to or from the EU or EEA, you must comply with the GDPR’s international data transfer requirements after a no-deal Brexit. You will be permitted to transfer personal data from the UK to the EU or EEA if it is covered by:

If you are receiving personal data from the EU or EEA, you will need to establish an appropriate safeguard for the transfer. The simplest way to do so is by entering into standard contractual clauses with the sender. If the transfer is non-repetitive and no appropriate safeguards apply, you will only be able to conduct the transfer if it is covered by an exception.

For more information on this topic, click here.

International Representatives and Authorities

If you are a UK-based organisation offering goods or services to the EU or EEA, a no-deal scenario will require you to appoint an ‘EU Representative’ to act on your organisation’s behalf regarding GDPR compliance in those locations. The EU Representative will also be responsible for dealing with any supervisory authorities or data subjects in those locations. Similarly, non-UK organisations offering goods or services to the UK will need to appoint a ‘UK Representative’.

Lastly, organisations will need to reconsider their lead authority if they continue to conduct data processing in the EU or EEA after a no-deal. While the ICO will remain as the UK’s lead authority, the EU and EEA will possess alternate lead authorities to supervise data processing practices. To determine your non-UK lead authority, click here.

Contains public sector information published by the ICO and licensed under the Open Government Licence v3.0.

Design © 2019 Zywave, Inc. All rights reserved. This publication is for informational purposes only. It is not intended to be exhaustive nor should any discussion or opinions be construed as compliance or legal advice. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly.