Firms need to act to understand where, how and to or with which organisations and countries they send, receive or exchange personal data. They also need to identify whether they have put in place either:

  • Standard Contractual Clauses – standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of the GDPR; or
  • Binding Corporate Rules – an internal code of conduct operating within a multinational group, which applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group entities. This can be a corporate group or a group of undertakings and enterprises engaged in a joint economic activity. These rules must be approved by an EEA supervisory authority in the country where one of the entities is based.

The Information Commissioner’s Office (ICO) has also provided additional useful information and guidance:

  • ICO advice – this provides an overview of the rules, guidance on what the key issues are and what action firms should consider taking. It also provides links to other sources of information and guidance, including to a list of Frequently Asked Questions.
  • ICO Leaving the EU Six Steps – This sets out the key actions required relating to data transfers to and from the UK, in relation to European operations, internal policies and documentation, and organisational awareness (identifying which key individuals who need to understand and apply the new rules.
  • ICO tool for working out if SCC will work for you – this guidance is focused on SMEs, and outlines how SCCs can work, and the circumstances in which these can be used, as well as identifying possible alternative approaches.