GDPR and Brexit UK Impact - The No Big Deal Guide

What is the impact of Brexit on GDPR & does the UK still need to comply?

Published by: Jamie King | Date Published: 31 August 2019 | Last Modified: 31 August 2019

This GDPR and Brexit Impact Guide has been created to help you understand what happens to GDPR and data protection if the UK leaves the EU with no deal. While this guidance will continue to develop inline with the latest Brexit developments, please do seek official information and guidance from the ICO and UK Government regarding GDPR and Brexit.

Some formalities; GDPR, or the General Data Protection Regulation is a EU regulation. It became law to all EU member states and the UK in May 2018.
The UK DPA 2018 (Data Protection Act) also came into force in May 2018 and currently (pre-brexit) sits alongside the GDPR. This was an update to the old 1998 Data Protection Act.

Impact of a no deal Brexit & GDPR

  • EU GDPR will no longer be law in the UK.
  • UK to adopt GDPR into UK law & create 'UK GDPR' version.
  • UK will become a 'third country' in eyes of EU GDPR.

When the UK leaves the EU (on October 31st so it's said) the EU GDPR will no longer be law in the UK. However the UK Government intends to write the GDPR into UK law, with required changes to create the 'UK GDPR'. So if you made changes to comply with GDPR in May 2018 it is advised you carry on doing what your doing now. There are some areas of GDPR you may need to revisit if a no-deal Brexit unfolds.

If the UK leaves the EU with a no deal Brexit, in the eyes of the EU and the EU GDPR, the UK becomes a 'third country'. What this basically means is there are stricter requirements for third countries, unless they have an adequacy decision from the EU. An adequacy decision is where the EU has confirmed a suitable level of data protection for personal data which is comparable to EU law. The UK's DPA 2018 should no doubt meet these high standards, but we'll need to wait until post-Brexit to see what happens. Furthermore is no adequacy decision is made it will mean the controller of personal data must ensure in other means that personal data will be sufficiently protected by the recipient. This could be assured using standard contractual clauses, for data transfers within a Group through so-called “binding corporate rules,” through the commitment to comply with codes of conduct which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.