Whether you voted to Leave or Remain, what we can all agree on is that the past three years have
thrown up constant surprises. Whether it’s the Irish question in flux once again, law surpassing the
government US style or opposition leaders refusing a General Election, Brexit hits the headlines
again and again. So, it was both no surprise and yet still a surprise to find out that leaving the EU
could have a negative impact on how our data is processed.
We are over a year into the new GDPR regulation, an EU top down initiative that all member states
needed to comply with. If you are one of the millions of businesses that put the effort in to make
sure that your business and processes were fully compliant with the GDPR, it can be tempting to
think that you have all the bases covered when Brexit rolls around. The good news is, if you have no
customers or contacts in the EEA (that’s the EU 27 plus Iceland, Norway and Lichtenstein) then your
business remains compliant with UK GDPR.
However, those of us with customers or contacts in the EEA will need to get our heads around the
new concept (to us anyway!) of ‘cross-border’ personal data. As a country currently within the EU, all
data flows freely, its security underpinned by GDPR throughout. Yet when we leave the EU, our GDPR
turns into UK GDPR, and as a third country will no longer be considered adequate by the EU. So if an
EU country wanted to either export or import UK data, a transborder data agreement would need to
be created and adhered to.
While this may sound unnecessarily complicated, the good news is that for most GDPR compliant
small and medium businesses the data protection rules already in place will largely stay the same.
Extra steps may need to be taken to ensure a free flow of data through a transborder data
agreement, and those doing a significant amount of work with an EU country may wish to consider
an EEA delegate, but the work needed is reasonably small compared to businesses that trade