The impact of ‘Brexit’ on data transfers

European Union flag


With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.

As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018.  Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.

So, what does this mean?

The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.

UK-EU Transfers

The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).

EU-UK Transfers

These transfers become more complicated as the UK will be deemed a ‘third country’.  Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –

  • There is an ‘adequacy decision’ in place; or

  • There are appropriate safeguards in place.

Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.  The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).

Appropriate safeguards are –

  • A legally binding and enforceable instrument between public authorities or bodies;

  • Binding corporate rules (BCRs);

  • Standard data protection clauses adopted by the Commission;

  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission;

  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;

  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;

  • Contractual clauses authorised by a supervisory authority.

So, how does this impact me and what do I need to do?

The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.

If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website.  It’s important to note that the current version was approved pre-GDPR and should be updated.

UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.

You can find out more here through these links:

Get in touch

If you’d like to discuss our data protection services, then contact one of our helpful experts today.


Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch
Previous slide
Next slide