Brexit may lead to greater restrictions on the transfer of personal data from the EU to the UK. UK organisations will need to be prepared.

By Philip Brining

When the UK leaves the EU on 29th March 2019 the GDPR will already have become law in every other EU member state.

The regulations governing the international transfers of personal data are set out in Chapter V of the GDPR. It stipulates that, for the purposes of data transfers abroad, any country that is not part of the European Union must be treated as a ‘third country’.

Transfers of personal data from organisations within the EU to organisations within third countries are subject to additional restrictions. Specifically, an organisation within the EU may not transfer personal data to a ‘third country’ unless;

  • the EU has conferred that country with ‘adequacy status’ (i.e. the EU has formally recognised that state as offering an adequate level of protection to personal data).


  • the organisation the data Is being transferred to has put adequate safeguards in place to protect that data.

As the UK is still currently part of the EU, these restrictions don’t affect European organisations who transfer personal data to us at the moment. However, when the UK leaves the EU it will become a ‘third country’ for the purposes of the GDPR and those restrictions will come into play. UK organisations will therefore need to start looking for ways to ensure that the flow of data from their EU suppliers, subsidiaries and customers continues uninterrupted after Brexit.

It might not be prudent to pin all hopes on the UK getting an adequacy decision from the EU. In the first instance, it is not entirely clear how long the UK would have to wait for an adequacy decision, or even if that decision would go in the UK’s favour. Consider that the European Commission has previously voiced concerns about the UK’s perceived failure to properly implement the Data Protection Directive (on which our current Data Protection Act is based). If those concerns are not addressed by the UK’s implementation of GDPR, then any adequacy decision may prove to be elusive.

This being the case, it seems more likely that UK organisations will have to meet the adequate safeguard requirements of the GDPR if they are to continue exchange data with organisations in the EU, and they should therefore start planning now make sure that they have adequate safeguards place in time for Brexit.

Article 46 of the GDPR sets out several potential routes UK organisations could take to demonstrate that adequate safeguards are in place. Of these routes, their most straightforward option is likely to be to incorporate EU approved standard contractual clauses into existing data sharing agreements with their EU partners.

So, our advice to UK organisations is engage with your EU subsidiaries, suppliers and customers early. Agree on a contingency plan to put revised versions of your existing data sharing/processing agreement (with the appropriate clauses included) into force in the event the UK doesn’t achieve adequacy status after Brexit.

If you don’t address this issue promptly then your EU partners may start to make contingency plans of their own…to stop sharing data with you and conduct their business somewhere else.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021