The Department for Digital, Culture, Media and Sport (“DCMS”) has issued technical guidance outlining the consequences for UK / EU data protection under a “no-deal” Brexit. The guidance clarifies:

  • The UK does not plan to make any immediate changes to its own data protection standards, or proposed adoption of the GDPR.
    • The Data Protection Act 2018 will remain in place and the European Union (Withdrawal) Act 2018 (together with an accompanying Statutory Instrument) will incorporate the GDPR into UK law.
    • The UK will continue to support the adequacy of the EU for personal data transfers, so UK to EU personal data transfers will remain valid without the need for further safeguards.
  • The legal framework governing the transfer of personal data from the EU to the UK will however change.
    • Short of any deal to the contrary, post-Brexit the EU will treat the UK as a “third country” and personal data transfers from the EU to the UK will be “restricted” pursuant to Chapter V of the GDPR.
    • This means specific safeguards will need to be adopted to support the lawful transfer of personal data to the UK in this scenario.
    • The DCMS encourages organisations to be aware of this risk and be ready to consider the adoption of standard contractual clauses (or other appropriate transfer arrangements) in the event of a “no-deal” Brexit.

The UK’s preferred negotiating position is to secure an adequacy determination within the ultimate EC withdrawal treaty to maintain a free flow of data between the UK and the EU. At the present time, such an outcome is far from certain and organisations are being advised to take contingency action. The DCMS encourages organisations to look to the ICO for further guidance and practical support on the issue, including guidance on the overall framework for international personal data transfers and options for adopting standard contractual clauses. The ICO are still in the process of preparing this guidance, but it will be available shortly on the ICO website.

For further recent ICO guidance on the scope of international transfers under the GDPR, please refer to our previous post.