Contact The Team

Subscribe to our mailing list

* indicates required

GDPR and Data Transfers in the event of ‘No-Deal’ Brexit

Wednesday, January 23, 2019

It remains to be seen whether the UK will ‘crash out’ of the EU if and when it eventually leaves. At the time of writing, the exit date has been rescheduled for  12th April, 2019. Should Brexit happen, the UK will become a ‘Third country’ for the purposes of EEA personal data transfers. This means data that was once able to flow freely between the UK and EEA without any specific safeguards, will no longer be possible. This affects Irish (and European) businesses and organisations dealing with parties in the UK, including Northern Ireland.

In light of recent guidance from the Irish Data Protection Commission (DPC) and the UK Information Commissioner (ICO), we explain below the main implications of a ‘no deal’ Brexit for organisations transferring data between Ireland/ the EEA and the UK, and the steps they should be taking in order to ensure that data can continue to flow. If your organisation uses a UK entity to provide any service, it is quite likely that a personal data transfer is taking place and plans should be made on how to deal with this in a no-deal scenario.

Steps to ensure data continues to flow

  • “Adequacy Deal”: The ideal scenario for the continued free flow of data would be for the UK to strike an ‘adequacy’ deal with the European Commission (EC). This would mean UK data protection laws are of an equal standard to that in the EEA. Note: An adequacy finding will not be in place before 12th April 2019, rendering the UK a third country lacking adequate protection if no withdrawal agreement can be struck.
  • Standard Contractual Clauses (SSCs): SCCs are model contracts approved by the EC, which implement contractual safeguards between the data exporter and importer. As the most popular alternative mechanism of transferring data outside the EEA, they are available to download on the EC website. The ICO has provided a guide for small to medium sized organisations aimed at helping you decide if SCCs are relevant, and minimising the expense of putting them in place.
  • Other transfer mechanisms: The DPC has provided information on other available transfer mechanisms and derogations for specific situations and we provide a snapshot of these in our article GDPR and International Data Transfers.

Transfers from the UK to Ireland / the EEA

Post-Brexit, the UK Government has said the UK will continue to acknowledge the EEA Member States as having an adequate level of protection for safeguarding personal data. This is welcome news if you are an Irish organisation receiving data from the UK, as that personal data can continue to flow freely from the UK to Ireland/ the EEA.

Transfers from Ireland to the UK

The DPC’s December guidance has indicated the next steps to take for Irish organisations transferring data to the UK:

  • Map the personal data that is currently being transferred to the UK;
  • Establish whether the transfers will need to continue beyond the withdrawal date;
  • If yes, then evaluate the various transfer mechanisms to decide which one best suits your situation, and work towards having it in place before the withdrawal date;

Also, because both processors and controllers are required to implement appropriate safeguards, all kinds of organisations – including those with intra-group service arrangements and those with third parties – must make the necessary changes.

“Six Step Approach”

The ICO has designed a helpful ‘Six Steps to Take’ guide to help all organisations make the precautionary preparations that will help ensure data flows continue post-Brexit.


The status of Ireland-UK data transfers post-Brexit looks more uncertain than ever. At the time of writing, Theresa May will travel to meet EU leaders in Berlin and Paris, in a last-ditch attempt to strike yet another extension for Brexit –  this time for 30th June, 2019. Any development in the area could have a significant impact on data transfers and prudent precautions should therefore be taken. There will continue to be a steady flow of information and guidance from the Irish DPC, UK ICO and the Irish and UK Government as and when an agreed withdrawal date edges closer, so be sure to check these sources regularly.



For more information on this topic, or if you have any questions relating to data transfers, please contact the Data, Privacy and Technology team at Philip Lee.


Eoghan Doyle


Anna Hickey