Data protection

Currently, the rules which govern the collection and use of personal data are set at an EU-level by the General Data Protection Regulation (GDPR). In the UK, the Data Protection Act 2018 incorporates and supplements the standards set out in the GDPR and ultimately provides for a comprehensive data protection framework. Following Brexit there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 will remain in place and the GDPR will be incorporated into UK law to sit alongside it.

The GDPR itself states that organisations are free to transfer personal data within the EU. However, they are only permitted to transfer personal data outside of the EU if there is a legal basis for doing so.

The UK Parliament, when scrutinising the Brexit process, has noted that retaining the ability to transfer data to and from EU countries is a fundamental issue to many UK technology businesses. Its report stated: “The success of the UK’s digital economy is underpinned by ongoing data transfer across the globe and particularly within the EU…It is important to recognise that Brexit creates a potential risk that the UK’s ability to transfer data across borders will be limited”.

In practice the free flow of personal data from the UK to the EU should largely be unaffected. The issue arises in the converse, where personal data is transferred from organisations established in the EU27 countries to those established in the UK, as the legal framework governing such data transfers may not be covered by any agreement on trade that is reached between the UK and EU during the transition period. However, the EU already has a mechanism which allows for the free flow of personal data to and from countries outside of the EU and this could apply to future data transfers to the UK. The European Commission has previously stated that if the UK’s level of personal data protection is deemed to be effectively equivalent to that of the EU (i.e. the GDPR), it would allow the transfer of personal data to and from the UK without restriction.  It is to be hoped that the EU does indeed provide for this.

However, given that the granting of any such “adequacy decision” is not certain, it is worth considering an alternative legal basis for the processing of personal data; in particular, the use of standard contractual clauses. In short, by including any model European Commission preapproved data protection clauses within your contracts with EU customers (and ensuring that their respective customers enter into the same) you can obtain the necessary lawful basis to transfer personal data to and from the EU following Brexit. 


If you have any questions regarding the impact of Brexit on your intellectual property rights, please contact your usual Marks & Clerk advisor or, alternatively, you can direct your question to the chair of our Brexit committee, Graham Burnett-Hall.

Click here to return to the Brexit homepage

Find the right person

Find the office that suits you

Click here to view our offices

>