Department for Business, Energy and Industrial Strategy publishes guidance on using personal data after Brexit

The Government explains that if there is a deal between the UK and the EU, the implementation period will mean data controllers see no immediate change in their day-to-day obligations. Personal data will be able to flow freely from the UK to the EU and from the EU to the UK during the implementation period.

As set out in the Political Declaration, the EU will begin its assessment of the UK as soon as possible after the UK’s withdrawal, endeavouring to adopt an adequacy decision (which would allow the continued free flow of personal data from the EU to the UK) by the end of the implementation period.

If there is “no deal”, UK businesses will need to ensure they continue to be compliant with data protection law. There will be no immediate change to the UK’s data protection standards. The General Data Protection Regulation (GDPR) would be brought into UK law and the Information Commissioner would remain the UK’s independent supervisory authority on data protection.

UK businesses will continue to be able to send personal data from the UK to the EU. In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU (including the EEA).

However, the Guidance explains, there will be a change to the way data is shared from the EU to the UK. The Government says that while it would like the European Commission to adopt an adequacy decision with respect of the UK as soon as possible, it does not expect an adequacy decision to have been made at the point of exit in March 2019.

In terms of what businesses need to do now, the Information Commissioner’s Office has set out six steps to take to prepare for EU exit in a “no deal” scenario. The Government advises early action, as changes may take some time to implement.

Businesses should continue to apply GDPR standards and follow current ICO guidance. Data Protection Officers can continue in the same role for both the UK and Europe.

Businesses should identify from where they receive data into the UK from the EEA. They should consult ICO guidance and think about what GDPR safeguards can be put in place to ensure that data can continue to flow once the UK is outside the EU. Standard contractual clauses are one such GDPR safeguard, the Guidance advises, and it recommends consulting the ICO interactive tool to help businesses understand and complete standard contractual clauses.

Businesses should also identify where they transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions. Structure, processing operations and data flows should be reviewed to assess how the UK’s exit from the EU will affect the applicable data protection regimes.

Privacy information and internal documentation should also be reviewed to identify any details that will need updating when the UK leaves the EU.

Businesses should also inform staff, making sure that key people in the organisation are aware of the issues. These steps should be included in any planning for leaving the EU, and staying up to date with the latest information and guidance is also important.

Finally, businesses should consider professional advice on how these arrangements could affect the business. To read the Government’s guidance in full, click here.