A NEW GDPR headache is on the cards for businesses ahead of Brexit, data protection experts say.

Britain’s departure from the EU would have implications for any businesses which hold personal data about citizens from the other states in the union.

Under the General Data Protection Regulation, it is unlawful to transfer personal data outside the EU unless appropriate safeguards are in place.

The implications will be more onerous if Britain leaves the EU without a deal, according to Mark Gracey, owner of Lytchett Matravers-based Flavourfy and its subscription service the Digital Compliance Hub.

“No-deal Brexit could have implications for your businesses if you’re processing EU citizens’ data,” he said.

“Simply put, in a no-deal scenario the UK would be a ‘third country’ and any EU to UK data flows would be seen as restricted transfers under GDPR.”

On Wednesday night, the EU agreed a six-month delay to Brexit – but MPs remain deadlocked over passing a withdrawal deal.

Businesses needing to transfer EU citizens’ data outside the EU will need to be covered by one of three main safeguards. They are: an EU ‘adequacy decision’, as has been introduced for Japan; an EU agreement that binds another country to the union’s standards of data protection, as happens with the US; or a binding contract using “model clauses” dictated by EU regulations.

Under a no-deal Brexit, only the contractual route would apply.

The Digital Compliance Hub said: “With more and more businesses across the EU (not just the UK) preparing for a no-deal Brexit, we’re beginning to see some UK companies being asked to sign model clauses in anticipation of a no-deal Brexit. Without these contracts in place, basically EU to UK data flows would have to stop.”

It said businesses could argue that they do not need to sign such clauses until it was clear that a no-deal Brexit was happening.

Signing such a contract should only be a question of agreeing to standards that the business was still bound to anyway while Britain remains in the EU. “But this is only going to be the case if the contract is simply the model clauses – if your client has added something extra or done something different then you may need to be careful what you’re signing,” it added.

The hub has launched a model clause review service which offers to check what businesses are signing.