Data protection and Brexit – ICO advice for organisations
Business, especially SMEs are being prepared for a possible no-deal Brexit.
Even though the basis on which the UK will leave the EU has yet to be decided, the Government has made it clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.
But for those companies that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected. The GDPR allows for free flow of personal information between companies in the UK and the European union, but if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data, it will no longer be possible to exchange personal information.
In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
The ICO has published guidance and practical tools to help organisations understand the implications and help them plan ahead. These comprise of:
- a‘Six Steps to Take’ guide;
- broader guidance on the effects of leaving the EU without a withdrawal agreement, and
- a general overview in the form of Frequently Asked Questions.