Keeping data you receive from the EU lawful

The EU is conducting a “data adequacy assessment” of the UK ahead of the end of the Brexit Transition period. UK businesses that transfer personal data from the EU or the European Economic Area (EEA) will need to have an alternative transfer mechanism in place to ensure this data can still flow lawfully if there is not a positive decision from the EU.

For most organisations, the most likely and relevant alternative mechanism will be Standard Contractual Clauses (SCCs). The Information Commissioner’s Office (ICO) provides detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.

If the EU grants positive adequacy decisions, it would mean that personal data can continue to flow freely from the EU/EEA to the UK as it does now, without any action needed by the organisations receiving it.

There are currently no changes planned to the way UK organisations send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU.

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Many organisations use personal data in their daily operations. An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

The Brexit Transition period ends on 31st December 2020.

UK Government Guidance

ICO Guidance