This checklist highlights six steps you can take now to start preparing for data protection compliance if the UK leaves the EU on 29 March 2019 without a deal.

If you only operate within the UK, you may not need to do much to prepare for data protection after we leave the EU. The UK is committed to the high standards of data protection set out in the General Data Protection Regulation (GDPR), and the government plans to incorporate the GDPR into UK law when we leave. Therefore, your best preparation for the future UK regime is to ensure that you are effectively complying with the GDPR now.

You may however need to ensure adequate safeguards are in place to maintain any data flows from the European Economic Area (EEA), which includes the EU.

If you operate in the EEA, you may need to comply with both the UK data protection regime and the EU regime after the UK exits the EU. You may also need to appoint a representative in the EEA. There is more information below about whether this applies to you.

You can use this checklist to work out whether you will be affected once we leave the EU, and take some key steps to prepare.

We will continue to update our guidance and develop other tools to assist you.

Until exit date we continue to work with EU data protection authorities in the European Data Protection Board (EDPB) on GDPR guidelines at European level.

However, after exit date, the ICO will only regulate the UK regime. We intend to maintain close links and cooperation with European supervisory authorities (who will have oversight where the EU regime applies).

The ICO is also working closely with trade associations and bodies representing the various sectors – you should also work closely with these bodies to share knowledge about what’s happening in your sector.

February 2019