Here’s our summary of what will happen to data protection law if the UK leaves the EU without a deal.

The UK Government has published detail on what will happen if the UK leaves the EU without a deal.  The guidance set out plans for maintaining UK data protection and maintaining the free flow of personal data between the UK and the EU, which will still be important for political, economic and security reasons.

The EU (Withdrawal) Act 2018 (EUWA) will retain the rules contained in GDPR in UK law and the fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.

To ensure the UK data protection framework continues to operate effectively when the UK is no longer an EU Member State the Government will make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EUWA.


Here’s our summary of the key changes, which we have put together using guidance issued by the UK Government; Department for Digital, Culture, Media & Sport:


No change to Controllers and Processors obligations

In a ‘No Deal’ scenario, the responsibilities of data controllers and processors across the UK will not change.

Data subjects will continue to benefit from the same high levels of data protection as they do now and the same GDPR standards will continue to apply in the UK.

The UK Information Commissioner’s Office (ICO) will remain the UK’s independent regulator for data protection.


Free flow of data unaffected for the period of transition

The UK will transitionally recognise all EEA states as providing an adequate level of protection for personal data, so personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU.

The UK cannot provide for free flow of data into the UK; that’s up to the jurisdictions outside of the UK who will provide their own rules on the transfer of data to the UK.

For those that rely on data transfers from the EU, alternative mechanisms for such transfers are available.

UK organisations will need to work with their EU counterparts to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place.


The EU will be treated just like other territories with adequacy decisions

An adequacy decision is when one country recognises that the data protection in another country is such that it’s safe enough to send personal data there in the knowledge it will be treated correctly.

Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit day, the UK government intends to maintain it.  This will mean that transfers from UK organisations to those adequate countries can continue uninterrupted.

So, the EU will be treated just like the other countries where there are adequacy decisions. The countries currently recognised are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America as long as the transfer is under the Privacy Shield framework.

Contractual clauses will continue to be recognised

Provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK in a ‘No Deal’ scenario.

This means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after Exit day.

No change to Binding Corporate Rules (BCRs)

Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit day the Information Commissioner will continue to be able to authorise new BCRs under domestic law.

Extraterrestrial scope rule will be maintained

The EU GDPR applies to controllers or processors who are based outside of the territory where they are processing, and to the processing of citizens of those countries.

The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that that the UK framework will apply to controllers or processors who are based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour.

This includes controllers and processors based in the EU.

Article 27 rules (Representation) will apply to both territories

Where an organisation is based outside the territory it’s processing in, or it’s processing data belonging to citizens of a country it’s not based in, article 27 of the EU GDPR requires a controller or processor not established in that territory to designate a representative within it.

The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.

Controllers and processors in the EU will need to appoint a UK Representative and those in the UK will need a European representative.

How can Univate Help?

We’ve been prepared for any eventuality when it comes to Brexit for some time.  Having a presence in both the UK and Europe means that we’re uniquely prepared to represent any business, anywhere so whether you’re a UK business that needs a European Representative, or a European business that needs a UK representative or a business based anywhere in the world that needs a representative in either or both of the territories, we can do that for you.

Click here to see details of our representative packages.