Brexit and Data Considerations


By Matthew Reeve on 7th May, 2019.

What happens to your data after Brexit?

I appreciate Brexit is wearing thin on everyone’s patience and therefore the title of this blog post may have you running for the hills, but it does throw up some pretty serious questions about data regulation. In January, The Information Commissioners Office (ICO) warned UK businesses to prepare for the very possible scenario of crashing out of the EU without a deal.

The published guide, aimed at smaller UK businesses, was obviously in preparation for the proposed 29th of March leaving date. But with that target coming and going, and no further assurances over the UK’s future in the European Union, its relevance remains. In this blog post we will breakdown the guidance shared by Information Commissioner Elizabeth Denham and the implications of a no-deal Brexit on your data.

Please remember however, that this blog post has been written for information purposes only, to raise awareness of these issues and prompt further, more detailed investigation. Its contents should not be relied upon in any specific situation without taking relevant legal and professional advice.

Unrestricted Data

At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place.

Information Commissioner, Elizabeth Denham

With the sharing of customer and employee information between the UK and European Union member states vital to some business’s operations, many will be relieved to hear that even in the event of a no-deal Brexit, the UK government will ensure the flow of data remains uninterrupted from the UK to the EU. However, a no-deal scenario would undoubtedly affect transfer of data flowing the other way, as the UK would essentially be regarded as a third country.

It’s important individuals and businesses know their exact data movements and requirements. For example, do your supply chains require personal information to be sent from the UK to the European Economic Area (EEA) or the other way around? Bear in mind that when a customer personally passes their information on it isn’t considered a data transfer.

Adequacy Agreement

Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.

Information Commissioner, Elizabeth Denham

An adequacy agreement is where non-European Union member states boast the same levels of data protection standards as the EU themselves. Therefore, any country with an adequacy agreement can enjoy interrupted flow of data. However, obtaining an arrangement such as this can be a lengthy process and the EU have remained adamant that these discussions cannot begin until after the UK has officially left.

As the UK has adopted the GDPR, its almost certain that an adequacy agreement would eventually be met. However, with a no-deal scenario practically requiring a fresh slate of polices and arrangements, the Government has advised UK organisations to consider assisting EU partners in identifying legal basis for the concerned transfers.

Company Structure

Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action.

Information Commissioner, Elizabeth Denham

Another important factor to consider is the structure of the company and assess this against the regulations for data transfer between the EEA and non-EU member states. As highlighted in this guide, don’t assume that because the parent company is located in Europe and holds all personal data at that site that that means new agreements for data flows are unnecessary.

The ICO have developed a tool to help businesses assess their current operations and data flows and decide what action they need to take in the event of a no-deal Brexit. The online tool can be found on their website, here.

We hope this blog post has been helpful, and we encourage you to regularly check the ICO’s website for the latest updates and advice. As always, if you have any questions, don’t hesitate to get in touch.


Matthew Reeve

Content Executive

Matthew is Secura’s content specialist, producing gripping, emotionally complex, edge of your seat, cloud hosting articles and videos.

Tweet me at:
@securacloud