GRA publishes ‘no deal’ Brexit guidance on data protection

GRA publishes ‘no deal’ Brexit guidance on data protection

The Gibraltar Regulatory Authority yesterday published a guidance note for local businesses to help ensure the continuity of data flow in the event of a no-deal Brexit.

Although the Gibraltar Government aims to retain the European Union’s GDPR within domestic law, businesses will need to ensure they continue to be compliant with data protection law.

The 6-step guide provides local organisations with advice and assistance on how the data flows which are crucial to business and other activities are maintained.

For businesses that operate locally, there will not be an immediate change.


However businesses that operate internationally may need to make changes ahead of the UK and Gibraltar leaving the European Union to ensure the minimal risk of disruption.

A spokesman for the Government said: “To ensure the Gibraltar data protection framework continues to operate effectively when the UK is no longer an EU Member State, the government will make appropriate changes to the GDPR and the Data Protection Act 2004.”

The 6-step guide provides information on businesses which continue to comply with GDPR standards, transfers to Gibraltar, transfers from Gibraltar, European operations, documentation that needs updating when the UK and Gibraltar leave the EU, and organisational awareness.

Some of the key components of the no-deal Brexit framework includes preserving the EU GDPR standards in domestic law and transitionally recognise all EEA countries, including EU member states and the UK, as “adequate” to allow data flows from Gibraltar to the UK and Europe to continue.

The regulations would also preserve the effect of existing EU adequacy decisions on a transitional basis and will recognise EU Standard Contractual Clauses in Gibraltar law and give the information commissioner the power to issue new clauses.

Binding corporate rules authorised before Exit day would be recognised and the extraterritorial scope of the Gibraltar data protection framework will be maintained.

The regulations would also oblige non-Gibraltar controllers subjected to the local data protection framework to appoint representatives in Gibraltar if they are processing data on a large scale.

To read the Information Commissioner’s 6-step guide, visit

Chronicle Staff

Recent Posts

Today's e-edition