How a no-deal Brexit will impact data protection practices

With negotiations at an impasse, a no-deal Brexit is looking ever more likely. If we get to Dec 31st without a withdrawal agreement, how will this affect the transfer of personal data between the EU and UK?


Unless a Brexit withdrawal agreement is able to be made ­– and ratified – in the next few weeks which includes a data adequacy decision, the UK is set to become a ‘third country’ from a data protection perspective.

This means that from January 1st 2021, further measures and contracts will be required regarding transfers of personal data from Europe to the UK, adding an additional compliance burden to EEA companies that do business in the UK or have UK subsidiaries.

Data adequacy is all about demonstrating to the EU that a country is a safe place for data processing and storage, so that restrictions on transfers are not imposed. While you might expect that being granted data adequacy is just a formality for the UK, in reality it’s much more complicated notes Camilla Winlo, DQM GRC’s director of consultancy.

Granting a data adequacy decision

“Adequacy decisions require a detailed examination of the country’s data protection environment, which usually takes months, or even years, to complete, and in the UK’s case, the Court of Justice of the European Union (CJEU) recently ruled one of the UK’s state surveillance laws to be unlawful under EU law,” she points out.

“The EU’s granted little more than 10 data adequacy decisions in the past,” continues Enza Iannopollo, a senior analyst at Forrester. “It takes into account a variety of factors when determining adequacy, from privacy rules and regulations, through to regulator activity, government policies and practices and whether enough legal remedies exist to protect privacy rights.

To continue reading this article register now