The Department for Digital, Culture, Media & Support has published a technical note on data protection and the actions UK organisations should take to ensure a smooth flow of personal data between the UK and EU in the event of a ‘no-deal’ Brexit. Currently, the protection framework for personal data is facilitated by the General Data Protection Regulation (GDPR) (at EU level) and the Data Protection Act 2018 (DPA). In a ‘no-deal’ environment post Brexit, the government envisages no immediate change in the UK’s own data protection standards as the EU Withdrawal Act would incorporate GDPR into UK law, supplemented by the DPA. The UK would, at the point of exit, continue to allow the free flow of personal data from the UK to the EU, although this would be kept under review.

However, the GDPR does not permit the transfer of personal data by organisations in the EU to those in the UK when it is a third country without a Commission equivalency decision. As the Commission will not enter negotiations for this decision until the UK is a third country, the government advises UK organisations to consider putting standard contractual clauses in place that allow the free flow of personal data. There are model data protection clauses that are approved by the European Commission which organisations can embed as contractual obligations. Derogations may also be relied upon on certain circumstances.