Personal data is any information that can be used to identify a living individual, such as their name, their physical/IP address, or HR data such as staff working hours and payroll details. For example a UK company which receives customer information from an EU company, such as names and addresses, to provide goods or services.
If the UK leaves the EU without a deal, UK businesses and organisations will still need to be compliant with data protection law. There will be no immediate change to the UK’s data protection standards, the General Data Protection Regulation (GDPR) will be brought into UK law and the Information Commissioner would remain the UK.
If you only ‘export’ personal data from the UK to the EEA, you do not need to take any action.
UK businesses and organisations will continue to be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU. There is no need to take preparatory action to continue sending personal data out of the UK to the EU/EEA.
If you do, you should review your contracts and, where absent, include standard contractual clauses (SCC) or other alternative transfer mechanisms (ATM) to ensure that you can continue to legally receive personal data from the EU/EEA.
There may be additional actions that some organisations need to take. The Information Commissioner’s Office (ICO) has further guidance your business or organisation should follow to prepare for Brexit and a handy tool to help you understand what to do.
If you need further information about personal data and sharing information in the event of a no deal Brexit you can find further guidance on the GOV.UK website.