The Government recently released its second wave of No Deal technical notices. In this piece I will cover their guidance on data protection.

What does the technical note cover? 

This note covers the consequences of a no deal Brexit for UK organisations that import personal information from partner organisations in the EU. It addresses the consequences of the UK leaving the system that allows the free-flow of personal information within the EU.

What are the key takeaways?

If there is no deal the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it. This means largely ‘business as usual’ for the immediate future.

The legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK would change on exit. It could become more difficult for EU organisations to export personal information to ones in the UK.

UK businesses need to take action to ensure organisations in the EU can still send personal information to them. The objective should be to make Brexit as non-disruptive as possible in terms of EU – UK information transfers.

It is Government policy for the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.

What should organisations do?

The EU has an established mechanism to allow the free flow of personal data to countries outside the EU, namely an adequacy decision. UK ‘adequacy’ would make transfers from the EU to the UK easier to carry out. We do not know if or when the European Commission will decide that the UK is ‘adequate’.

If the European Commission does not decide that the UK is ‘adequate’, you should consider helping your EU partners to identify an alternative legal basis for their transfer of personal information to the UK.

For most organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses, approved by the European Commission, that enable the free flow of personal data from an EU organisation to a UK one. 

Do check the  Information Commissioner’s Office website for more information or feel free to contact me with any queries. EU organisations should seek guidance from their respective data protection authorities.