The Information Commissioner’s Office (ICO) has published dedicated guidance to assist small and medium-sized businesses in their preparations for a no-deal Brexit and has urged them to “prepare for all scenarios” to maintain data flows when the UK leaves the EU. The guidance for small and medium-sized businesses is not entirely new as the ICO has, in fact, tailored its previously published no-deal Brexit guidance to be more relevant and accessible to smaller businesses.
At the moment, personal data flow is unrestricted because the UK is a member of the EU. In the event of no deal, EU law will require additional measures to be put in place when personal data is transferred from the EEA to the UK in order to make such data transfers lawful. The ICO’s guidance sets out steps to take to keep personal data flowing, such as using pre-approved contract terms. It says that:
- if you are a UK business that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance after Brexit
- if you are a UK business that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow after Brexit
- if you are a UK business with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit and you may need to designate a representative in the EEA.