0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

data protection: preparing for Brexit

9 October 2019

Although there is uncertainty about what arrangements will apply when the UK leaves the EU, there are a number of practical steps that can be taken now to prepare from a data protection perspective and to ensure that any data flows to and from the EU can continue post Brexit.

  1. Understand your data flows.

    As part of preparing for the General Data Protection Regulation 2016/679 coming into force in May 2018, your organisation will have carried out a data mapping exercise. If this is up-to-date then you will be able to use this to assess to what extent your organisation will be impacted by Brexit. Where this is not up-to-date then this is a good opportunity to review it and update it.

    The key is to identify any data flows to and, more importantly, from countries in the EU. Even if you do not think information is being transferred you will need to carefully consider your data processing arrangements and any sub-processing arrangements.

    After Brexit, countries in the EU who are transferring personal data to the UK will need to comply with the international transfer provisions in the GDPR, until an adequacy decision is made by the European Commission in respect of the UK. In most cases this will be by using the Standard Contractual clauses.

  2. Consider whether the territorial scope provisions in Article 3 of the GDPR mean that your organisation will need to appoint an EU representative and , if so, take steps to identify and appoint an appropriate representative.

  3. Understand what policies, procedures and other documents may need revising following Brexit.

  4. Regardless of the type of Brexit, the Data Protection Act 2018 will remain in force as this is domestic legislation. In terms of the GDPR, the Government has passed regulations that mean the GDPR will be incorporated directly into UK law (becoming the “UK GDPR”) and operating alongside the DPA 2018. If we Brexit with a ‘deal’ then there is likely to be a transition period where the GDPR will apply before we move to fully domestic arrangements. This may potentially allow for more detailed arrangements to be agreed to govern the transfer of data from the EU to the UK.

    In any event, priority should be given to updating privacy notices and other data subject facing documents so that they can continue to understand how to exercise their data subject rights and to ensure you can continue to demonstrate compliance with your transparency obligations.

  5. Maintain a watching brief to ensure that you are aware of important developments and any new guidance that is published.

  6. Finally, the Information Commissioner’s Office has published guidance to assist organisations with preparing for Brexit, including recent guidance aimed and small and medium organisations. Being familiar with this guidance and following it where appropriate will help your organisation to prepare and ensure you can meet your accountability obligations under the GDPR.

focus on...

Upcoming webinars

In-House Lawyers - 12 June 2020

Join us for our in-house Lawyers webinar, where we focus on practical solutions that you can utilise from home in your agreements and your dealings with business, where we deal with data and digital law and how the effects of covid-19 have changed the legal privilege for in house lawyers.

View

Upcoming webinars

COVID-19 for Local Authorities, Arms Length Bodies and Government

Join our COVID-19 for Local Authorities, Arms Length Bodies and Government webinar.

View

Legal updates

Staff working from home? How do you keep data secure?

Data protection law requires every business that deals with personal data to ensure that they have “Technical and Organisational Measures ” in place to keep that data secure. Losing that data could seriously damage the company’s reputation and potentially land it with a fine from the ICO and with claims for compensation.

View

Legal updates

Data protection and Coronavirus

The ICO has recently released updated guidance for businesses who are grappling with concerns around data protection compliance during the ongoing Covid-19 (Coronavirus) pandemic

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Charlotte Harpin

Charlotte Harpin

Senior Associate (New Zealand Qualified)

View profile

mailing list sign up



Select which mailings you would like to receive from us.

Sign up