Small and medium-sized enterprises (SMEs) will have to take extra precautions when using personal data after the Brexit transition period comes to an end, a major regulator has warned.

The guidance, published by the Government and Information Commissioner’s Office (ICO), comes as the UK prepares to officially leave the EU on 31 December 2020.

To help your business get up to speed with the new demands of processing personal data, we’ve summarised the key points you need to know about below:

What is personal data?

According to the guidance, personal data is defined as any information that can be used to identify a “living person”. This includes names, delivery details, IP addresses, or HR data such as payroll details.

What you need to do if you receive data from the EU

A data adequacy assessment of the UK is currently underway. If the UK is approved before the end of the transition period, the free flow of personal data from the EU/EEA to the UK will be allowed to continue without any further action by organisations.

If the assessment runs into next year, however, organisations will be required to put in place alternative transfer mechanisms to ensure that data can continue to legally flow from the EU/EEA to the UK. For example, your organisation may need to have Standard Contractual Clauses (SCCs) in place with EU counterparts in order to legally receive personal data from the EU.

What you need to do if you send personal data to the EU

There are currently no planned changes to the way you send personal data to the EU, EEA, Gibraltar and other countries deemed adequate by the EU.

What you need to do if you currently hold data on individuals outside the UK

Organisations may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.

Will the UK continue to use GDPR at the end of the Brexit transition period?

After the end of the transition period, GDPR will be retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law.