Brexit and Data Protection

On 11th September 2019, the Information Commissioner's Office ("the ICO") , the UK public body responsible for monitoring and enforcing compliance with data protection law, published guidance specifically focussed at small and medium sized organisations ("SMOs")  on how to comply with data protection laws in the event of a "no deal" Brexit. 

This guidance complements  existing more general guidance  on the subject, which  the ICO had already issued, but is written in a way which is intended to be more relevant to SMOs. It also stresses the advisability for SMOs that target customers within the EU to check EU laws and local laws as to whether they need to appoint a representative within the EU for  data protection compliance purposes.

The  EU General Data Protection Regulation ("GDPR") has already been adopted by the UK and will almost certainly survive Brexit (whether "deal" or" no deal") in the UK. The critical point, however, is that in the event of Brexit , the UK will by definition be a "third country" for personal data transfer purposes with the result that the transfer of personal data to the UK from the EU would be heavily restricted by EU law unless the necessary safeguards are put in place by the parties.  

There is perhaps nothing very remarkable in the further guidance that the ICO has now provided but it is evidence at least of the Government's publicly stated commitment to help UK organisations and individuals prepare for a "no deal" Brexit.

There is likely to be more of this type of help in the lead - up to Brexit day (currently 31st October 2019 at 11pm UK time).