The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Some of the information we process is passed outside of the European Economic Area, what do we need to do?

If you’re sending personal data to a different organisation or person based outside of the European Economic Area (which is the EU member states plus Iceland, Norway and Liechtenstein), you’ll be making what’s known as a ‘restricted transfer’.

When making a restricted transfer you’ll need to make sure the country is covered by an ‘adequacy decision’ which means it’s considered to meet the required standards in the way it treats personal data, or that an appropriate safeguard or exception is met.

Often, standard contractual clauses act as an appropriate safeguard between two organisations. These are a set of clauses included within an agreement between the organisations that say how they’ll comply with the accepted standards of data protection. They place requirements on the sender and recipient. Our guidance on international transfers helps explain the available mechanism for making restricted transfers.

My business only works within the UK. How will data protection and EU withdrawal affect me?

After we leave the EU, data protection rules will still apply if you process personal data. The UK government wants us to have data protection laws that are like the ones we have now.

Even if all your customers are based in the UK, and you don’t send any personal data to another organisation or person outside of the UK, you still need to follow data protection rules.

Getting on top of data protection now will save you time and help your business in the future.

 

We will be updating our guidance and offering support whenever there are developments. You can sign up to our newsletter below to receive information about this and other ICO updates.