Using personal data after Brexit
When the UK leaves the EU there may be changes to the rules governing the use of personal data.
This is particularly relevant to UK businesses and organisations which:
- operate in European Economic Area (the EEA), which includes the EU
- send or receive personal data from international partners, including the EEA
What is personal data
Personal data refers to any information that can be used to identify a living individual, including their name, their physical or IP address, or HR functions such as staff working hours and payroll details.
An example of an international exchange of personal data would be a UK company that receives customer information from an EU company, such as names and addresses, in order to provide goods or services.
What your business or organisation needs to do now
The Information Commissioner’s Office (ICO) has set out 6 steps and further guidance your business or organisation should take to prepare for EU exit in a no deal scenario.
You should:
- Continue to comply with GDPR rules and follow ICO guidance.
- Review your data flows into the UK from the EEA and consider the GDPRsafeguards you will need to put in place.
- Review your data flows from the UK so that you can document the new basis for these transfers under UK transfer rules.
- If you operate across Europe, you should assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.
- Review the privacy information and internal documentation that you hold to identify any details that will need updating.
- Make sure that key people in your organisation are aware of these issues and include these steps in any planning for leaving the EU.
How this will affect your business or organisation if there’s a deal
The implementation period will mean data controllers see no immediate change in their day-to-day obligations.
Personal data will be able to flow freely from the UK to the EU and from the EU to the UK during the implementation period.
As set out in the Political Declaration, the EU will begin its assessment of the UK as soon as possible after the UK’s withdrawal, endeavouring to adopt an adequacy decision (which would allow the continued free flow of personal data from the EU to the UK) by the end of the implementation period.
How this will affect your business or organisation if there’s no deal
UK businesses or organisations will need to ensure they continue to be compliant with data protection law.
There will be no immediate change to the UK’s data protection standards. The General Data Protection Regulation (GDPR) would be brought into UK law and the Information Commissioner would remain the UK’s independent supervisory authority on data protection.
UK businesses or organisations will continue to be able to send personal data from the UK to the EU. In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU (including EEA).
There will be a change to the way data is shared from the EU to the UK. While we would like the European Commission to adopt an adequacy decision with respect of the UK as soon as possible we do not expect an adequacy decision to have been made at the point of exit in March 2019.
What will happen after the UK leaves the EU
Arrangements to ensure the protection and free flow of personal data will underpin the economic partnership, as well as the security partnership.
The UK and the EU have also agreed to make arrangements for cooperation between the UK’s Information Commissioner’s Office (ICO) and the EU Data Protection Authorities.