Ibec - for Irish business
Card 4 of 6

‘No-Deal’ Brexit - implications for data protection and business

4 February 2019


At the time of writing, the UK has yet to decide how it leaves the EU. This note outlines the governance of personal data transfers by organisations from the Republic of Ireland to the UK in a potential ‘no-deal Brexit’ scenario and provides related background information. This note is intended as general information and not detailed legal advice.

1. Data protection and business after 29 March in a ‘no-deal’ Brexit scenario

In the absence of a UK-EU ‘Withdrawal Agreement’ that provides for the continued flow of personal data (or a ‘no-deal’ Brexit scenario), organisations will need certain safeguard mechanisms to underpin the lawful transfer of personal data from the European Economic Area (EEA or ‘internal market’) to the UK (including Northern Ireland) after 29 March 2019. This scenario would impact the transfer of personal data from the EU to the UK and organisations conducting business with the UK.

Currently, the free movement of personal data across the EU (including the Republic of Ireland and UK) is underpinned by a common set of data protection rules, including the EU General Data Protection Regulation (GDPR). After the 29 March 2019, the UK becomes a ‘third country’, outside the EEA (including the EU) and additional ‘appropriate safeguards’ will be required for EEA-UK transfers of personal data. EU data protection rules permit the international transfer of personal data from the EEA to third countries when either:
    a) The European Commission has initiated an ‘Adequacy Decision’, a mechanism whereby the Commission formally recognises the data protection framework of a third country as ‘adequate’ – a form of equivalence, whereby personal data can flow from the EEA to the third country without any further safeguards. At the time of writing, no such agreed recognition is in train and the European Commission has indicated that the adoption of an adequacy decision is not part of its contingency planning for a no-deal Brexit scenario [1];
    or

    b) Organisations themselves, use an appropriate alternative safeguard mechanism to lawfully transfer personal data from the EEA to recipients in a third country. A common transfer safeguard mechanism is the use of approved standard or model contractual clauses between a data exporter and importer. Further information on the various lawful mechanisms for the transfer of personal data outside the EU is outlined in the links below [2].
It is understood that the UK government intends to permit a continuance of the current flow of personal data from the UK to recipients in the EU at the point of exit after the 29 March 2019. This will be subject to review [3].

2. Considerations in preparing for a no-deal Brexit scenario
    a) Measure risk to manage it. Review organisational awareness. Identify and map out your organisation’s current and planned data transfers to (and from) the UK. Identify contractual arrangements underpinning these transfers.

    b) Review and consider your transfer options. Review the approved EU mechanisms for the lawful transfer of personal data from the EEA to third countries. Consider which mechanism best fits your situation in preparing for a potential no-deal Brexit scenario before the 30 March 2019.

    c) Consider any organisational implications associated with different jurisdictions after 29 March 2019. Organisations who operate across Europe should assess how a potential no-deal Brexit could affect their data processing activities and the data protection regimes that apply to them. Consider if your organisation needs to reflect changes to international data transfers in your privacy notice and data protection documentation after 29 March 2019.
The data protection authorities in Ireland [4] and UK [5] have produced guidance on data protection in a no-deal Brexit scenario. The Irish Data Protection Commission (DPC) issued specific guidance around standard contract clauses in a potential no-deal Brexit scenario [6] (see links below).

Ibec is working with the DPC to ensure business is best supported and informed in preparing for a potential no deal Brexit scenario. Ibec recently held a well-attended briefing with the Data Protection Commission (DPC) on the impact of a no-deal Brexit on data protection compliance on Monday 25 February. In parallel to that briefing we recorded a webinar for members unable to attend. We were delighted to partner with the Data Protection Commission in delivering this initiative. Please find attached link to the webinar below [7]. As discussed in the webinar, guidance on certain safeguards (i.e. codes of conduct) are being discussed at EU level. This guidance is now the subject of public consultation. See link [8].

What a 'no deal' Brexit means for Ireland to UK data transfers


Ibec held a briefing with the Data Protection Commissioner (DPC) on the impact of a no-deal Brexit on data protection compliance on Monday 25 February. In parallel to that briefing we recorded a webinar for those unable to attend. You can view the webinar recording here.



Further guidance on data protection and a no-deal Brexit

[1] European Commission contingency guidelines on a potential no-deal Brexit (page 11)
[2] Mechanisms for the lawful transfer of personal data outside the EU (Data Protection Commissioner guidance)
Mechanisms for the lawful transfer of personal data outside of the EU (European Commission guidance)
[3] UK Government on data protection and a potential no-deal Brexit scenario:
[4] Irish Data Protection Commission (DPC) notice on data protection and a potential no-deal Brexit scenario
[5] UK Information Commissioner’s Office (ICO) on data protection and a potential no-deal Brexit scenario
[6] DPC Guidance on transfers of personal data from Ireland to the UK in the event of a ‘no-deal’ Brexit
[7] Ibec webinar with DPC on transfers of personal data from Ireland to the UK in the event of a ‘no-deal’ Brexit
[8] EDPB consultation on Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679