Upon the expiry of the post-Brexit transition period, the UK will become a third country for the purposes of EU data protection law. Transfers from the EEA to the UK will be subject to the same rules that apply to transfers to the United States and other countries outside the EEA. Even if there is an adequacy decision from the European Commission in relation to UK data protection law to enable the free flow of personal data, organisations in the UK that process personal data relating to EU citizens may be subject to dual regulation under both UK and EU data protection law. All organisations will need to review and update their privacy notices and internal policies and records.

With one month to go, here are 5 things that all organisations should do to ensure that they are prepared for changes to data protection law:

  • EEA/UK data transfers - if your organisation imports personal data from the EEA (for example employee information from an EEA subsidiary or as a processor for an EEA customer), then you need to take steps to review your contracts to ensure that transfer can continue if the European Commission does not make an adequacy finding in relation to UK data protection law. Find out more.
  • Dual regulation - if you offer goods or services to individuals in the EU (or act as a processor) then you may continue to be subject to GDPR. Review your processing operations and identify whether you are going to be dual regulated by both UK data protection law and GDPR. EU entities may be caught by equivalent extra-territorial provisions in UK data protection law.
  • Local representative - if you will continue to be subject to GDPR, then you may need to appoint a representative in the EEA. EEA organisations may also need to appoint a UK representative. 
  • Internal records and procedures - review your Article 30 register. If your processing is going to be dual-regulated, does it accurately describe which processing is subject to which regime(s)? Do you know which supervisory authorities will have oversight of your processing activities? Are your internal policies and procedures up to date? If you use the one-stop shop mechanism for a single supervisory authority, have you identified which supervisory authorities will regulate your organisation going forward? 
  • Privacy notice - review your privacy notice and ensure that it is up to date. Do you explain the transfers that you make outside the UK? Do you correctly explain which data protection regime(s) apply to your processing of personal data?

For more information, please visit our Brexit Hub or download our guide to Data Protection and the End of the Post-Brexit Transition Period, which contains a handy checklist.

If you would like to discuss how Brodies can help your organisation prepare for the end of the post-Brexit transition period, please contact Martin Sloan or Grant Campbell.


Martin Sloan