How will a no-deal Brexit affect UK data transfers?

Published on Tuesday, October 1, 2019 - 09:26 by Peter Galdies

The 31 of October is looming, and a no-deal Brexit is starting to look like a very real possibility. Many industries will be affected overnight if this takes place, and there are now serious concerns around how UK organisations will be able to share data with their EU partners.

Under EU law, should a no-deal Brexit take place the UK will become a “third country” not bound by the GDPR’s legislation, and able to deviate from the existing strong standards if parliament decides on that course of action.

Consequently, data from EU countries would not be able to flow freely to the UK, which could end up with disastrous and unpredictable consequences. Whilst the UK had hoped that the EU would grant it a special status which would recognise the UK’s data protection regime as equal to the EU’s, the EU has instead committed to assessing the UK for “adequacy”.

This means the UK will need to undergo a period of continuous assessment before getting the green light for data transfers to go ahead unimpeded.

In the past, the process of granting adequacy has taken between 18 months and five years.

This article explains the repercussions that a no-deal Brexit will have on data transfers, along with guidance on the steps organisations should consider taking now to prepare.

What will happen in the event of a no-deal Brexit

Should the UK leave the EU without a deal, there will be no transition period before it becomes a ‘third country’.

This will have several major ramifications.

Adequacy decisions

Under the GDPR, organisations in third countries can only process EU residents’ personal data if:

  • There is an adequacy decision, as per Article 45 of the GDPR
  • If they rely on Standard Contractual Clauses (SCC), as per Article 46
  • If they rely on Binding Corporate Rules (BCR), as per Article 47
  • It is essential for a contractual obligation with the data subject
  • There is a specific consent for the transfer from the data subject

The adequacy decision procedure cannot begin until exit day. If there is a no-deal and no transition period, UK organisations that process EU residents’ personal data must ensure SCCs or BCRs are in place before then so their data processing activities remain lawful under the GDPR.

These are formal contracts between organisations that share personal data (including partners and suppliers), which supply the framework on how the data will be protected.

The EU Privacy Shield Agreement

Whilst UK government has stated that “UK organisations will continue to be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU” (including to US members in the EU-US Privacy Shield), it’s pretty much impossible to gauge how long this will be the case, particularly as the UK will have no further say on how the Privacy Shield will be imposed or revised, as it’s an EU agreement.

Consequently, a specific consent SCCs or BCRs are the only real course of action for UK data controllers that require certainty over utilising US data processors, either directly or via suppliers and partners.

EU representatives

GDPR and DPA 2018 compliance will still be mandatory.

Just like all other organisations that are based in a third country and supply services to the EU, UK organisations will also need a representative in the EU, under Article 27 of the GDPR.

In the event of no-deal Brexit, the government has specified that it plans to duplicate the Article 27 provision to necessitate controllers based outside of the UK to employ a representative in the UK.

Should the UK exit the EU without a transition period, a controller or processor located outside the UK (but bound by UK data protection laws by virtue of their extra-territorial impact) may be required to appoint a UK representative.

Your EU representative can be any legal person who’s based in an EU member state within which you collect personal data.

If your organisation collects information from the entirety of the EU, you can appoint a representative from any EU member state. However, if you only collect personal data from data subjects in Germany, for example, your EU representative must be based in Germany.

If you have several different countries to choose from, it’s best to select either the one where you collect the most information, or conduct the most extensive monitoring.

Cyber-security weaknesses

Cyber-criminals relish periods of commotion, and the time building up to Brexit and beyond will encompass significant distraction.

Organisations should expect to see Brexit-themed phishing scams, in addition to other types of cyber-attack that will try to take advantage of an organisation’s uncertain security position.

We advise organisations to act now and ensure:

  • Cyber defences are updated and adequate
  • Incident response plans are tested and confirmed to work
  • Staff training and awareness of the threats is up to date – especially around identifying phishing attacks

With Brexit uncertainty lingering, we’re aware that organisations are hesitant to make data protection decisions when no one is sure if and when the UK will leave the EU, and which new requirements will kick in.

At DQM GRC, we provide practical solutions for organisations that either don’t have the necessary specialist expertise to fulfil their data protection obligations, or those that are just looking for extra privacy and compliance support on a provisional or project-based basis. 

Our expert consultants can provide additional support to help you answer queries, comply with the law, review your policies in line with the regulations and deal with data protection incidents.

To find out more about how we can help your organisation, call us now on 01494 442900 or complete our enquiry form:

No deal Brexit

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900