Legal Articles

Data transfers post Brexit

Home / Knowledge base / Data transfers post Brexit

Posted by Claire Halle-Smith on 01 November 2019

Claire Halle-Smith Senior Associate

In light of recent Brexit negotiations and subsequent parliamentary activity, the focus of the Information Commissioner’s Office (ICO) has turned to that of the continued lawful transfer of personal data between the UK and Europe in the event of a no-deal Brexit. 

In the event of a no-deal Brexit …

There are two considerations with respect to the transfer of personal data should the UK leave Europe without a deal in place, these are the way in which personal data is transferred:

  • from the UK; and
  • to the UK from Europe. 

Whether you are transferring personal data from the UK, or receiving data from a country within the EEA, existing law continues to apply in that these personal data transfers will be lawful if they are covered by an adequacy decision, an appropriate safeguard or an exception. 

Personal data transfers from the UK to Europe will continue to be unrestricted and so no further steps are necessary for UK organisations.  

For now, there are no restrictions on personal data transfers from Europe to the UK.  This could change as, should the UK leave the EU without a deal in place, it will not automatically be considered to provide an adequate level of protection to personal data. Therefore, any transfer of personal data from a country within the EEA to a business in the UK will be deemed a restricted transfer and shall require additional safeguards in order to transfer that data in compliance with the GDPR. This will apply regardless as to whether the business transferring the data is a controller, a processor or a sub-processor and applies to all organisations whether they be large multi-nationals, small or medium enterprises (SME) or sole traders.

In view of this, emphasis within the ICO guidance is placed on both small and large organisations who may receive data from countries within the EEA. Specific guidance for SMEs has been recently updated and is available on the ICO website, as is additional guidance for large organisations. In both cases, the ICO suggests the most straightforward way to comply is to adopt the Standard Contractual Clauses.

What are the Standard Contractual Clauses (SCC)?

The SCC are sets of clauses for use by controllers of personal data when sending and/or receiving personal data to or from another controller or a processor under the GDPR. These clauses are European Commission approved and deemed to offer sufficient protection for such data transfers. There are two sets of clauses, one is for use between two controllers of personal data, the other set is for use between a controller and a processor. 

Steps to take now:

  • Establish the effects of Brexit on your organisation – do you receive data from countries within the EEA?
  • If so, consider updating your existing contracts to include the SCC which will enable the continued transfer of data to your organisation.
  • Check with the organisation concerned, it may be, for example, that where it stores data on your behalf, it may agree to locate such storage facilities within the UK.
  • Should you currently transfer data from the UK to countries outside the EEA and you have no safeguards in place, consider adopting the SCC to lawfully transfer that personal data.
  • Should you have offices or a presence within Europe, ensure that their processing activities continue to comply with local data protection law.
  • Update your organisation’s privacy policy and any other relevant documents if required after Brexit.

About the author

Claire Halle-Smith

Senior Associate

Claire is a senior associate with extensive in-house commercial experience within the social care sector. Claire acts for a wide range of clients, from individuals and small businesses to larger, multi-national organisations.

Claire Halle-Smith

Claire is a senior associate with extensive in-house commercial experience within the social care sector. Claire acts for a wide range of clients, from individuals and small businesses to larger, multi-national organisations.

Recent articles

27 May 2020 Track and Trace: what are the limitations of the new NHS COVID-19 app?

The government’s new NHS Track and Trace app is at the heart of its plans for tackling the coronavirus, lifting the lockdown and helping us all return to normal as soon as possible.

Read article
27 May 2020 Employment law update: contractual changes implemented from 6 April 2020

With managing the impact of the Coronavirus pandemic taking a priority position on the agenda, understandably many employers have put the mandatory changes to Contracts of Employment implemented on 6 April 2020 on the back burner.

Read article
22 May 2020 How to value a house and its contents for probate

In order to apply for probate, executors have to provide HMRC with details of all assets and liabilities (including joint assets) and any gifts made by the deceased during the seven years prior to death.

Read article
How can we help?
01926 732512