As the media continues to report how things might change in the UK following Brexit, it should come as no surprise that data protection is one of the areas that could be affected. The Information Commissioner’s Office (ICO) has issued new guidance to organisations on this issue.

The provisions of the European Union’s General Data Protection Regulation (GDPR)n have already been incorporated into UK law via the Data Protection Act 2018, so for most firms Brexit will not have a significant impact on their data protection obligations.

There may however be implications for organisations that currently transfer data between the UK and the European Economic Area countries. At present, data can move freely between the UK and other European countries because GDPR set a common set of rules to be followed across the continent. However, if the UK either leaves the EU with ‘no deal’, or any arrangement subsequently negotiated between the UK and the remaining EU countries fails to specifically provide for the continued flow of personal data, then there could still be an impact on the data protection system.

The ICO has published a guide called Six Steps To Take, and these six steps are:

  1. Firms should continue to comply with GDPR and the Data Protection Act 2018
  2. Firms should identify where they receive data from EEA member states
  3. Firms should also identify where they transfer data from the UK to another country
  4. Firms with European operations should review their structure, processing operations and data flows. The EU’s data protection rules will of course still apply in other member states after the UK leaves
  5. Firms should review their privacy information and internal documentation to identify any details that will need updating when the UK leaves the EU, such as the need to remove any references to EU law, or any other references to the EU, EEA etc.
  6. Firms should ensure their key staff are aware of how Brexit might affect data protection

The government has already said that transfers of data from the UK to the EEA will not be restricted, even if there is no deal. However, if the UK leaves the EU without a deal, or with a deal that does not specifically cover data flows, GDPR transfer rules will apply to any data coming from the EEA into the UK. Firms that may be affected are advised to commence working with their EU partners to ensure that data transfers remain compliant. Many firms might choose to use Standard Contractual Clauses as their legal basis for future cross-border transfers. These are EU-approved data protection clauses which can either be embedded within contracts, or added as an appendix to an existing contract,

The Privacy and Electronic Communications Regulations, which cover nuisance calls and texts, will continue to apply in the UK after Brexit.


The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article