The Information Commissioner’s Office (ICO) has recently released guidance to help small to medium-sized UK organisations prepare for a no-deal Brexit. If you send personal data from the UK to the European Economic Area (EEA) then you will not need to take additional steps to ensure the data continues to flow after Brexit because the UK government has said that transfers to the EEA will not be restricted.

However, if you receive personal data from the EEA, you will need to take steps to ensure that the personal data continues to flow after Brexit. In the majority of cases, this is best done by putting in place a contract between you and your contact based in the EEA on EU-approved terms known as standard contractual clauses (SCCs) which provide for appropriate safeguards when transferring personal data to a third country or an international organisation. The SCCs will need to be put in place before the date on which the UK leaves the EU without a deal. However, if you do not have the power to enter into a binding contract, then the ICO suggests entering into an administrative arrangement that includes enforceable and effective rights for the individuals whose personal data is being transferred. The European Data Protection Board is intending to publish further guidance on administrative arrangements in due course.

If you have an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection legislation after Brexit. This means you may need to designate a representative in the EU.

Finally, it is important to remember to review and update your privacy information and documentation for any changes that will need to be made after Brexit.

For more information please get in touch with one of our information law experts:

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.