GDPR compliance in the event of a “no deal” Brexit

As the UK prepares to leave the EU, the UK government has advised organisations to consider data flows and ensure adequate safeguards for personal data transfers remain in place.

In the event of the UK leaving the EU without specific provision for personal data transfers, the .UK Registry-Registrar Agreement will be updated to insert Schedule 3a on 29 March 2019. 

These clauses are based on standard contractual clauses approved by the European Commission. They provide for the safeguarding of personal data transfers in the circumstances of transfers from the EU to the UK as required under the General Data Protection Regulation (GDPR). They will only apply to .UK registrars who process personal data in the EU, and are intended to cover any transition period pending an EU ruling that the UK’s data protection laws are considered ‘adequate’ under EU law.

If the UK and the EU reach an agreement that makes specific provision for personal data transfers during the transition period, Schedule 3a will not be required and will not come into operation.

Q & A

What has happened?

Nominet has issued provisional clauses (Schedule 3a) which will be incorporated into the .UK Registry-Registrar Agreement on 29 March 2019 in the event that the UK leaves the European Union (EU) without a withdrawal agreement in place. Registrars have been notified of the provisional clauses on 28 February 2019.

What does this mean for me?

All registrars should continue to comply with the principles set out in the General Data Protection Regulation (GDPR) which the UK government has confirmed will still be applicable in the UK post Brexit.

If you need further information on how Brexit affects data handling, please see the Information Commissioners’ Office website: www.ico.org.uk  and guidance: Leaving the EU – six steps to take.

What do the clauses do?

They require compliance with personal data transfers under the General Data Protection Regulation (GDPR) in the event of a “no-deal” Brexit. They provide a legal mechanism for personal data to continue to flow between EU based registrars and Nominet.  

Why are they needed?

Currently, the GDPR allows for personal information to flow freely between Nominet and EU based registrars without the need for specific contractual clauses.

If the UK leaves the EU without a withdrawal agreement that provides for the continued flow of personal data, these clauses will be incorporated into the .UK Registry-Registrar Agreement to ensure the same safeguards on personal data transfers. The clauses have been developed using standard contractual clauses approved by the European Commission.

Why now? / Does this mean you expect a ‘no deal’?

The Information Commissioner’s Office and the Department for Digital Culture Media and Sport have advised organisations to prepare for the possibility that the UK leaves the EU without a withdrawal agreement in place.  In line with the notice requirements in our contact, we have given Registrars 30 days’ notice of these changes.

What if there is deal?

If the deal agreed includes specific provision for the free flow of personal data between the EU and the UK following the UK leaving the EU, the clauses will not be necessary. 

What would the position be if the Draft Withdrawal Agreement is accepted?

The provisional clauses would not currently be needed. The UK would be considered as part of the EU for the purposes of GDPR until 31 December 2020.

What is the .UK Registry-Registrar Agreement?

The .UK Registry-Registrar Agreement is the contract between Nominet and our Registrars. It Includes the standards and obligations we expect of our Registrars when dealing with .UK domain names.