Personal Data Flows post Brexit

22nd September 2020

Most businesses will now have taken steps to ensure that their data processing functions comply with the General Data Protection Regulation (“GDPR”). However, many businesses will be unclear about the data protection responsibilities applying at the end of the Brexit transition period.


What are the current requirements?

The UK is, of course, no longer a member of the EU. The Withdrawal Agreement provides that the UK will continue to be subject to EU rules until the end of the Brexit transition period (31 December 2020). Therefore, businesses acting as controllers or processors of personal data will be required to comply with GDPR until the end of the transition period.


What happens at the end of the transition period?

After the end of the Brexit transition period, GDPR will be retained in UK law as the “UK GDPR”.

However, the UK will no longer be treated as part of the EU and it will be considered a “third country” for GDPR purposes. If a party in the EEA wishes to transfer personal data to a third country (which will include the UK from 31 December 2020), they must ensure that this international transfer complies with GDPR. One way to comply with the GDPR’s rules on international transfers is for the parties involved (sender and recipient) to enter into standard contractual clauses governing the use of the EEA personal data.


What can I do now to prepare?  

If you are a business processing EEA personal data, you can take the following steps to ensure the continuing flow of data at the end of the transition period:


  1. appoint an individual to take the lead responsibility for data protection obligations in your business;
  2. review the personal data which is received into, and transferred out of, the business;
  3. identify any personal data which is received into the UK business from the EEA; and
  4. complete the Information Commissioner’s Office’s interactive tool to decide which action to take to ensure ongoing compliance (


Get in touch

If you would like to discuss any of the issues raised in this article, or would like assistance with data protection, Rebecca Anforth (Senior Associate), would be delighted to hear from you. You can reach Rebecca on 01872 226999 or you can email her


Murrell Associates LLP 22 September 2020

The information provided in this article is a summary for general information purposes only and does not constitute legal or other professional advice and cannot be relied upon as such. Any law quoted in this article is correct as at the above date. Appropriate legal and financial advice should be sought for specific circumstances before any action is taken.