If the UK leaves the EU without a deal, then on that day (whether 12 April or the date on which any further extension to the Article 50 notice period expires) the UK will become a third country for the purposes of EU data protection law. To help organisations prepare for a no deal Brexit, we've prepared a checklist that summarises the key issues for different types of organisations - whether based in the UK or the EEA.

The guide also explains what changes will be made to data protection law in the UK immediately before exit day. These changes will take effect on the expiry of the Article 50 notice period if there is a no deal Brexit, or at the end of the transition period under any withdrawal agreement.

These changes mean that organisations in the UK need to think about:

  • Steps that need to be taken to ensure that transfers of personal data between the UK and the EEA/Gibraltar remain lawful
  • Whether processing activities are subject to UK data protection law or GDPR (or both)
  • Whether processing activities will now be subject to regulation from more than one supervisory authority
  • Whether organisations will need to appoint a representative in the EEA or UK
  • What changes need to registers of processing activities, policies and procedures and privacy notices
  • What changes need to be made to data sharing agreements and contracts between controllers and processors (including updates to template contracts)


Martin Sloan