Brexit: New no-deal guidance issued for data transfers

Today the Department for DCMS has released a statement announcing new advice on data transfers in the ‘unlikely event the UK leaves the EU without a deal’.

There are a few key developments:

1. The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data.
2. Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit day, the UK government intends to preserve the effect of these decisions on a transitional basis. This will mean that transfers from UK organisations to those adequate countries can continue uninterrupted.
3. Provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK in a ‘No Deal’ scenario. In practice, this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them.
4. The Government intends to replicate article 27 of the EU GDPR, which requires a controller or processor not established in the EEA to designate a representative within the EEA. The UK will require controllers based outside of the UK to appoint a representative in the UK.

For more information and to read the full statement by DCMS, click here.

The ICO has also released advice on processing personal data in a no-deal Brexit situation. You should familiarise yourself with their literature and review their ‘six steps guide’ in your preparations for no-deal. You can read this and other advice on no-deal Brexit planning from the ICO here.

In due course, the DMA will release our own advice on transferring data with the EU with specific reference to the data and marketing industry. If you have any questions on this, contact Zach.Thornton@dma.org.uk.