Data arrangements

As businesses that potentially rely on the cross border transfer of personal data from customers, between intermediaries, to and from capacity providers and to outsource providers, intermediaries might need to take further actions to enable this transfer of data to occur following the UK’s withdrawal from Europe. This section aims to clarify what actions should be taken by insurers or insurance intermediaries in relation to this transfer of personal data and requirements around notifications to national supervisory authorities. 

If an EEA firm sends personal data to someone else who is outside the EEA, they must comply with GDPR rules on international transfers of data.   Ways of safeguarding the compliant transfer of data between an EEA data controller and a UK data controller or data processor might be to use the Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM).  Brokers might want to review their legal agreements to ensure that the correct SCCs are being applied in order to receive personal data from the EEA in a compliant way.

Businesses that are part of a multinational group may be able to rely on binding corporate rules (BCRs), for intra-group transfers as an appropriate safeguard.

UK businesses and organisations will continue to be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU.

There is no need to take preparatory action to continue sending personal data out of the UK to the EU/EEA.

If the UK leaves the EU without a deal, UK businesses and organisations will still need to be compliant with data protection law.

There will be no immediate change to the UK’s data protection standards. The General Data Protection Regulation (GDPR) will be brought into UK law and the Information Commissioner would remain the UK’s independent supervisory authority on data protection.

There may be additional actions that some organisations need to take. The Information Commissioner’s Office (ICO) has further guidance your business or organisation should follow to prepare for Brexit.

The ICO will continue to be the independent supervisory body regarding the UK’s data protection legislation.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.