The General Data Protection Regulation (GDPR) won’t be disappearing after Brexit, with the government planning to incorporate it into UK law, alongside the Data Protection Act 2018, after we leave the EU. Most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same, whether or not we leave the EU with a deal.
In fact, the Information Commissioner’s Office advises businesses that the best preparation for data protection after Brexit is to ensure you are complying with the GDPR now. We’ve put together a summary of the ICO guidelines for small to medium-sized businesses on staying compliant with GDPR after Brexit.
If your agency already complies with the GDPR and you have no contacts in the EEA (the EU and Iceland, Norway, and Liechtenstein) who send you data, and no customers in the EEA, all you will need to do is review your privacy information and documentation to identify any minor changes that might need to be made after Brexit.
If a business or organisation in the EEA sends your business personal data, then it will still need to comply with EU data protection laws and you will need to take action with them so the data can continue to flow after Brexit. For most businesses, SCCs (Standard Contractual Clauses) are the best way to keep data flowing into the UK, according to the ICO. SCCs are standard sets of contractual terms and conditions which both the sender and the receiver of the personal data sign up to, and include contractual obligations to protect personal data when it leaves the EEA.
Transfers of data to the EEA will not be restricted after Brexit. This means if you send data from the UK to the EEA, you will still be able to do so, and you don’t need to take any additional steps, except review your privacy information and documentation to identify any minor changes that might need to be made after Brexit.
For more information on data protection after Brexit, see ico.org.uk.