Privacy & Information Security Law Blog

On January 15, 2019, the UK House of Commons rejected the draft Brexit Withdrawal Agreement negotiated between the UK Prime Minister and the EU by a margin of 432-202. While the magnitude of the loss sets in motion a process which could potentially have resulted in an early general election being held, on January 16 a majority of British Members of Parliament rejected a vote of no confidence in Theresa May’s government.

While calls for a fresh referendum are gathering momentum, and the possibility of an exit from the EU without an agreed-upon plan continues to loom large, from a data protection perspective the UK Information Commissioner’s Office’s (“ICO”) recently published guidance for businesses regarding the consequences of a UK exit without a deal remains relevant. In this guidance, the ICO has recommended six steps for companies to take in the event of a hard Brexit, including:

• Continue to apply GDPR standards and follow current ICO guidance;
• Identify relevant data flows from the EU to the UK and ensure appropriate data transfer mechanisms are in place in respect of those transfers once the UK leaves the EU;
• Identify relevant data flows from the UK to any country outside the UK, as these data transfers will require a separate data transfer mechanism in due course;
• Review and assess the company’s operations across the EU, and assess how the UK’s exit from the EU will affect the data protection regimes that apply to the company;
• Review privacy-related documents (e.g., notices) and internal documentation to identify any details that will need to be updated once the UK leaves the EU; and
• Ensure that key individuals within the organization are aware of these key issues, involved in relevant planning activities, and kept up to date with the latest information and guidance.

In addition, the ICO has published guidance on the effects of leaving the EU without a Withdrawal Agreement, which provides detailed explanations in relation to how various aspects of the GDPR will apply in the UK in the event of a no-deal Brexit. Those areas include data transfer restrictions, the appointment of representatives, the one-stop-shop, the ICO’s participation in the European Data Protection Board, and various other matters. Finally, the ICO has published a general overview of the issues at stake in the form of frequently asked questions.

The ICO has indicated that it will provide more detailed guidance as the situation develops further. View the ICO’s guidance.