Following Brexit, the rules about how personal data flows between the EU and the UK will change. The basis on which the UK will leave the EU has still to be decided. The government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.
But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected.
Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because we have had a common set of rules - the GDPR.
But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.
In this event, the government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
Guidance from the Information Commissioner’s Office:
- Data protection and Brexit: ICO advice for organisations
- Data protection if there’s no Brexit deal
- Leaving the EU: 6 steps to take
Information relating to business on the Business Wales Brexit portal.