0370 270 6000

Data protection in a post Brexit world

27 April 2020

Now that the UK is outside the European Union – will that mean less red tape for SMEs when it comes to processing personal data? Here’s why you shouldn’t hold your breath.

What law applies?

You’re probably aware of two pieces of legislation that currently apply to processing of personal data:

  • The General Data Protection Regulation (GDPR), as a regulation, applies directly to all member states of the European Union (EU).
  • The UK Data Protection Act 2018, currently in force also incorporates the GDPR and deals with the derogations specific to the UK.

Since Brexit, the GDPR no longer directly and automatically applies to the UK, although the Data Protection Act 2018 and the Withdrawal Act means that its provisions will continue to have an effect, via UK legislation.

In its guidance the Information Commissioner's Office (ICO) have confirmed that a new UK version of the GDPR (removing references to Europe) will be incorporated into UK law. The UK will therefore have a similar law in place to the GDPR but tailored to the UK (the UK GDPR).

But no more EU legislation though?

Not quite. The EU version of the GDPR will continue to apply to those UK based controllers and processors in the UK who either:

  • offer goods and services to individuals in the EU; or
  • Monitor the behaviour of individuals in the EU.

So will UK businesses supplying goods and services to EU customers have to comply with TWO versions of the GDPR?

Yes, but they’re likely to be very similar – so that’s not the problem. What’s often more important however is how the law is interpreted by the regulator.

Guidance from the regulator

Pre-Brexit the ICO would take into account the guidance of an EU body, the European Data Protection Board, (EDPB) when drafting its own guidance and making decisions. The ICO had a seat on this board and the EDPB would ensure a consistent approach throughout the member states of the European Union, including the UK.

Next year however the ICO will no longer sit on the EDPB. There is a chance therefore that data protection guidance could result in different interpretations of the law in the UK compared to the EU.

Differing Case Law

Alongside guidance from the regulator, case law will often determine how legislation applies to individual businesses. Pre-Brexit cases would take into account as the last court of appeal, decisions from the Court of Justice of the European Union (CJEU) on how legislation should be interpreted – the intention being that the legislation should be applied in a similar fashion across member states.

If, as is currently proposed, the UK Government will not accept the jurisdiction of the CJEU after Brexit, then again there is a good chance that UK data protection law, even though based on the GDPR could be interpreted differently as a result of UK courts taking a different line to the EU.

So what does this mean for UK businesses?

Organisations in the UK that operate in both the UK and the EU will be subject to both the EU and the UK versions of the GDPR and must comply with both laws going forwards. That shouldn’t be too much of a stretch for so long as the laws remain similar, however in the event that guidance and case law leads to different interpretations of those laws, organisations could be in the difficult position of being required to comply with different and possibly conflicting laws when dealing with personal data from EU and UK customers.

Co-authored by Richard Nicholas and Lauren Webb – data protection lawyers at Browne Jacobson LLP

This article was first published by Data Protection Magazine.

Focus on...

The UK's green agenda - the outcomes of COP27 and actions since COP26

Just over a year ago world leaders, policymakers, scientists and environmental activists gathered in Glasgow for COP26. Now many of those same people have also travelled to Egypt to attend this year's summit for what has been billed as “A moment of truth for the international community”.



The role of benchmarking in setting pay in schools

The use of salary benchmarking data is common place in most sectors in the UK and it’s great to see that CST’s salary survey for school trusts is growing with a higher number of participating organisations and included job roles. This years’ survey includes over 2000 job roles and 147 participating organisations.


Legal updates

Hair discrimination – stop pupils being unfairly singled-out for their appearance

The Equality and Human Rights Commission (EHCR) has issued new, non-statutory guidance regarding the wearing of natural or protective hairstyles, specifically in reference to their representation in uniform, behaviour or standalone appearance policies. This guidance has been designed to complement and enhance the guidance already given on school uniform and Equality Act 2010.


Legal updates

School complaint management - exploring a new way forward

There’s greater opportunity than ever for parents, carers and guardians to voice any concerns they have relating to their child’s education and for their concerns to be heard and to be taken seriously.


Richard Nicholas

Richard Nicholas

Partner and Responsible for In House Lawyers

View profile