The UK is committed to maintaining the standards of the GDPR and the government plans to incorporate it into UK law alongside the DPA 2018 after Brexit.
The UK government has confirmed that when the UK exits the EU, transfers from the UK to the EEA will not be restricted. There will be transitional provisions for a UK adequacy decision to cover these transfers.
The UK governmewnt intends to recognise existing EU adequacy decisions, approved EU SCCs (standard contractual clauses) and BCRs (binding corporate rules) wherever possible post Brexit
Transfers from the EEA to the UK will need to comply with GDPR transfer restrictions.
- Ensure you already comply with the GDPR and UK Data protection Act 2018.
- If no contacts in EEA who send you data, and no customers in the EEA – no steps needed now but review your privacy information and documentation to identify any post Brexit changes needed.
- If you are a UK business who receives data from contacts in the EEA – you need to take extra steps to ensure data can continue to flow: you will still need to comply with EU data protection laws. For most businesses SCCs (Standard Contractual Clauses) are the best way – see ICO SCC Interactive Guidance tool : https://ico.org.uk/for-organisations/data-protection-and-brexit/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/ The contract needs to be in place BEFORE the UK leaves the EU if without a deal. SCCs are standard sets of T&Cs which both parties (send and receive) sign up to which include contractual obligations to protect personal data when it leaves EEA (and to help EEA senders in complying with GDPR). Public authorities receiving data from another public authority may still use the SCCs, but there are options to use another administrative arrangement.
- If you are a UK business who transfers data to the EEA – you can still do so and no additional steps required as long as you continue to comply with the UK Data protection Act 2018.
- If your organisation operates in the EEA (offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA) you will need to comply with both UK and EU data protection regulations after Brexit. You may need to appoint a representative in the EEA to represent your obligations under the EU GDPR (unless you are a public authority or the processing is occasional, low risk and not large scale use of special category or criminal offence data) – there are providers in the EEA who offer services as a GDPR representative. https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-theres-no-brexit-deal/the-gdpr/european-representatives/
Restricted transfers
If you are making a restricted transfer that is not covered by an adequacy decision, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the ‘exceptions’ set out in Article 49 of the GDPR. You should only use these as true ‘exceptions’ (ie it should not be for a regular occurrence). If it is covered by an exception, you may go ahead with the restricted transfer. Of course, you must still comply with the rest of the GDPR.
For info the exceptions are:
Exceptions: explicit consent; a contract with the individual and the restricted transfer is needed to perform the contract; a contract with an individual which benefits another individual whose data is being transferred (eg family member); important reasons of public interest; to establish if you have a legal claim, to make a legal claim or to defend a legal claim; to protect the vital interests of the individual; the restricted transfer is from a public register; a one off transfer with compelling legitimate interests.
The Information Commissioner’s Office FAQs
Will the GDPR still apply if we leave the EU without a deal?
The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK if we leave the EU without a deal. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law when we exit the EU – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.
The EU version of the GDPR may also still apply directly to you if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.
The GDPR will still apply to any organisations in Europe who send you data, so you may need to help them decide how to transfer personal data to the UK in line with the GDPR.
The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.
What will the UK data protection law be if we leave without a deal?
The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply.
The provisions of the GDPR will be incorporated directly into UK law if we leave the EU without a deal, to sit alongside the DPA 2018.
New DP exit regulations have been passed which will make technical amendments to the GDPR so that it works in a UK-only context from exit day.
What role will the ICO have?
The ICO will continue to be the independent supervisory body regarding the UK’s data protection legislation.
The UK government will continue to work towards maintaining close working relationships between the ICO and the EU supervisory authorities once the UK has left the EU.
Can we still transfer data to and from Europe if we leave without a deal?
The government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, if we leave the EU without a deal, GDPR transfer rules will apply to any data coming from the EEA into the UK. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.
What about law enforcement processing?
The data protection regime set out in Part 3 of the DPA 2018 will still apply to competent authorities processing for law enforcement purposes. These rules derive from an EU directive but are now set out in UK law and will continue to apply after exit day (with some minor technical changes to reflect our status outside the EU).
We expect transfers of data from the UK to the EU and Gibraltar will be able to continue for the time being on the basis of new UK adequacy regulations. For more information on how the transfers rules work, read the international transfers page of our Guide to Law Enforcement processing.
If we leave the EU without a deal, transfers of data from the EU to the UK will be subject to local transfer requirements in the sender’s country. Your European partners may ask you to comply with additional safeguards. We suggest you contact your partners in the EU to discuss what they want to do to ensure that data can continue to flow into the UK.
Does PECR still apply?
Yes. The current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply after we exit the EU.
The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed. It is unlikely to be finalised before the UK exits the EU. This means the ePR will not form part of UK law if we leave without a deal.
Does NIS still apply?
Yes. The NIS rules cover network and information systems. They derive from EU law but are set out in UK law. They will continue to apply after we exit the EU. You can find more information in our Guide to NIS.
If you are a UK-based digital service provider offering services in the EU and we leave without a deal, on exit date you may need to appoint a representative in one of the EU member states in which you offer services. You will need to comply with the local NIS rules in that member state. If you also offer services in the UK, you will also need to continue to comply with the UK rules regarding your UK services.
Does eIDAS still apply?
The eIDAS regulation covers electronic ID and trust services. It is an EU regulation and will no longer apply in the UK if we exit the EU without a deal. However, the government intends to incorporate the eIDAS rules into UK law on exit. In practice, if you are a UK trust service provider, you should assume that you will still need to comply with eIDAS rules.
For more information, see ICO Guide to eIDAS. https://ico.org.uk/for-organisations/guide-to-eidas/what-is-the-eidas-regulation/
If you offer trust services in the EU and we leave without a deal, you may also still need to comply with EU eIDAS law in other member states. The UK will no longer regulate that aspect of your services. But we intend to continue working closely with EU supervisory authorities.
Does FOIA still apply?
Yes. The Freedom of Information Act 2000 forms part of UK law and will continue to apply.
For more information, see ICO Guide to freedom of information. https://ico.org.uk/for-organisations/guide-to-freedom-of-information/
Do the EIR still apply?
Yes. The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law. The UK has also independently signed up to the underlying international treaty on access to environmental information (the Aarhus Convention).
For more information, see ICO Guide to the EIR. https://ico.org.uk/for-organisations/guide-to-the-environmental-information-regulations/what-are-the-eir/
What happens if the UK agrees a deal?
In the event of a deal with the EU, it’s likely there will be a transition period – during which the GDPR will continue to apply in the UK and you won’t need to take any immediate action. At the end of the transition period, the default position would be the same as for a no-deal Brexit, but there may be time for further developments about how we deal with particular issues such as UK-EU transfers.
Brexit and data protection – useful links
- Data protection if there is no Brexit deal
- Personal data after Brexit
- Data Protection for SMEs with a European presence or European customers
- Data protection, information rights and Brexit frequently asked questions
Further HR Guidance
Visit our Brexit Business Preparation website page for more suggestions on how an organisation as a whole may identify the potential impact that Brexit could have on its operation; as well as get practical HR and employment legislation guidance on how businesses can get ready for Brexit.