Skip to Content


Data protection

Although it is intended by the Government that regulatory standards do not change on our exit from Europe, businesses should be ready to deal with any unforeseen consequences. Data protection regulation is a good example of this as the framework of our data protection laws is set at an EU level. The Government’s guidance points out that this framework is enacted into UK law (as the GDPR which came into force in May 2018) so there would be no change on exit. However, whereas currently the free flow of personal data between entities based in the UK and in other EU countries is permitted, as matters currently stand, that will change on exit and cross-border processing of personal data will become more of a challenge.

So, for example, if you wish to continue to receive personal data from an EU entity such as a supplier, head office or subsidiary based in Europe, as the UK on exit will become a ‘third country’ that EU entity can only make the transfer if ‘appropriate safeguards’ have been put in place (which in most cases will require the use of standard data protection clauses). The European Commission may, however, make an ‘adequacy decision’ (i.e. that UK data protection rules are sufficiently robust for the transfer of personal data from the EU) although this is looking increasingly unlikely at this point.

For those UK companies who currently transfer personal data to companies in the United States who are participants in the EU-U.S. Privacy Shield, it is not clear whether on exit such transfers can continue to be made on the same basis (as the UK will no longer be part of the EU). It may be that we will see changes made to the EU-U.S. Privacy Shield to allow UK to US transfers, or we may see a new privacy shield arrangement aimed specifically at such transfers (in much the same way that there is currently a Swiss-U.S Privacy Shield for transfers of personal data from Switzerland to the United States).

Post Brexit it is much more likely that a contractual basis for the flow of such personal data will be needed. Any organisation which receives personal data about individuals, such as customers or staff, from the EU will need to review and update their contractual arrangements now otherwise they could find themselves unable to receive vital business information after March 2019.

For more information please contact Andrew Priest.