Data protection if there’s no Brexit deal
Does this guidance apply to us?
You should read this guidance if you are a business or organisation based in the UK and the GDPR or Part 3 of the Data Protection Act 2018 currently applies to your processing of personal data.
It is particularly relevant to UK businesses and organisations which:
- operate in European Economic Area (the EEA), which includes the EU;
- or send personal data outside the UK;
- or receive personal data from the EEA.
This guidance is not aimed at individuals and, if needed, we will provide guidance for individuals in due course.
You should also read this guidance if you are a UK business or organisation and any of the following regulations apply to you:
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR);
- the Network and Information Systems Regulations 2018 (NIS); or
- Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS).
If you are a UK business or organisation, we have set out the key practical points and preparations for you to consider if the UK were to exit the EU without a deal.
This guidance covers the following laws that are regulated by the ICO, which will be affected by the UK exiting the EU:
FTC Takes Action against Companies Falsely Claiming Compliance with the EU-U.S. Privacy Shield, Other International Privacy Agreements