Leaving the EU without a deal – data protection advice from the Government

13 December 2018

The DCMS advises UK businesses who operate internationally to take early action as changes may take time to implement.

The DCMS advises UK businesses who operate internationally to take early action as changes may take time to implement.

The government has issued guidance about data protection in the event of a ‘hard’ Brexit. 

An online notice published on 13 December by the Department for Digital, Culture, Media and Sport (DCMS) said: “In the unlikely event that the UK leaves the EU on 29 March 2019 without a deal, UK businesses will need to ensure they continue to be compliant with data protection law. 

“For UK businesses that operate only within the UK there will be no immediate change.

"For UK businesses that operate internationally or exchange personal data with partners in other countries there may be changes that need to be made ahead of the UK leaving the EU to ensure minimal risk of disruption.”

The DCMS emphasises the importance for businesses to review whether they would be affected.

For those that are, it advises early action as changes may take some time to implement.

Citing guidance from the Information Commissioner’s Office (ICO), the DCMS outlines the following six steps that business should be taking in preparation for exiting the EU:

  1. Continue to apply GDPR standards and follow current ICO guidance. If you have a data protection officer, they can continue in the same role for both the UK and Europe.
  2. Review your data flows and identify where you receive data into the UK from the European Economic Area (EEA). Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once the UK is outside the EU.
  3. Review your data flows and identify where you transfer data from the UK to any country outside the UK, as these will fall under new transfer and documentation provisions.
  4. If you operate across Europe, review your structure, processing operations and data flows to assess how the exit from the EU will affect the data protection regimes that apply to you.
  5. Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.
  6. Make sure key people in your organisation are aware of these key issues.Include these steps in any planning for leaving the EU, and keep up to date with the latest information and guidance.

See ICO’s  full guidance.