In a 'no deal scenario' additional data protection measures will need to be taken.

Currently the transfer of personal data within the EU is governed by the GDPR and in the UK the General Data Protection Act. The aim of GPDR was to provide users with greater control over personal data and ensure harmonisation across data protection rules. The GDPR also regulates data transfers from the EU to the rest of the world.

Data protection laws will be aligned with the EU at the point of exit, and as such there would be no immediate change in personal data originating from the UK being sent to the EEA or the rest of the world.

However, should the UK leave the EU without a deal in place, incoming data originating from the EEA will require additional safeguards in the form of an adequacy decision; binding corporate rules; standard model clauses; derogations or codes of conduct and certification measures in accordance with the EU GDPR.

In relation to agreements currently in place for the USA, data can still be circulated via “Privacy Shield”, although updated processes will be required to reference the change in regulation on the UK’s departure in the event of a “no-deal” scenario.

In the event of a no-deal, Under Article 3 of the EU GDPR controllers or processors which are not established within the EEA (which the UK will be in the event of “no-deal”) will be required to appoint a representative within the EEA. The UK government intends to replicate this provision to require data controllers based outside of the UK to appoint a representative in the UK.

The technical notice on data transfers can be found at:
With further information