UK exit from the EU - No Deal and transfer of personal data

There are many businesses which rely on the transfer of personal data across borders.

From 1 January 2021, depending on the outcome of negotiations during the transition period between the UK and EU, new legal restrictions may apply to the transfer of personal data between the UK and the countries of the EU/European Economic Area (EU plus Norway, Iceland and Liechtenstein).

Restrictions may also apply to the transfer of personal data between the UK and: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the USA.

‘Personal data’ includes information that could be used to identify an individual such as name, address, number, IP address or cookie identifier.

What does this mean?

In the event of a non-negotiated outcome, there may be no legal basis for continued transfer of personal data from EEA countries to the UK.

A business based in Northern Ireland may, for example, be legally unable to:

  • access payroll data stored in the Republic of Ireland
  • receive customer names and addresses from a company in the Netherlands
  • access details of employees of subsidiary companies in Germany

The UK Government has indicated that the transfer of personal data from the UK to the EU and wider EEA would still be permitted in this scenario.

Indications of Business Preparedness

In late 2019, the Department for the Economy hosted an online questionnaire seeking information on business preparedness for changes to data protection under EU Exit. Of the businesses that responded to the survey:

  • 70 per cent advised that EEA data was essential for business functions
  • 65 per cent thought no deal EU exit would have a big impact on their business
  • 6 per cent have undertaken all actions to prepare for a no deal exit, a further 20 per cent have undertaken some action
  • Key challenges for business - understanding legal requirements, time/resource, political uncertainty

What can business do?

In advance of a non-negotiated outcome, businesses can undertake mitigating actions, including agreeing new contractual terms with partners in the EEA. 

However, these mitigations may be complex for some businesses, and are subject to some legal uncertainty.

The UK Information Commissioner’s Office has published guidance for business at Information Commissioners Office (ICO) website.

Back to top