General Data Protection Regulation: Guidance on a “no-deal” Brexit

Today the Gibraltar Regulatory Authority (“GRA”), as the Information Commissioner (the “Commissioner”), has published a guidance note on the European Union’s General Data Protection Regulation (“GDPR”) and Gibraltar’s Data Protection Act 2004 (“DPA”).

The GDPR imposes conditions on transfers of personal data to jurisdictions outside the European Economic Area (which includes the European Union). In the event of Brexit without a deal, transfers to Gibraltar would need to comply with said conditions. Her Majesty’s Government of Gibraltar is planning to include mechanisms in law for the uninterrupted transfer of personal data between Gibraltar and the UK, so these data flows should not be affected.

This guidance note aims to provide organisations with advice and assistance on how organisations can ensure that data flows crucial to business and other activities are maintained in the event of a no deal Brexit.

The guidance note is available on the data protection section of the GRA’s website –

The GRA is the nominated authority responsible for the enforcement of data protection law in Gibraltar and carries out the functions assigned to it to uphold the rights of individuals and their privacy. As part of his efforts to promote data protection compliance and good practice, the Commissioner issues guidance notes aimed at helping organisations improve their data protection practices and comply with the law.

For further information please contact the Information Rights Division of the GRA on +350 200 74636 or email