0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

the implications of Brexit on data protection 

7 July 2017

The EU General Data Protection Regulation (GDPR) is expected to come into force in EU Member States on 25 May 2018. As the UK will then still be a member of the EU the GDPR will have direct effect on businesses established in the UK from May 2018 until Brexit.

The implications of Brexit on data protection are complex and create a great deal of uncertainty for individuals, business and the UK economy. Data protection is, for example, a key area impacting on the UK’s participation in the Digital Single Market.

The GDPR

The provisions of the GDPR were furiously negotiated over four years. The intention had been to create a level playing field for data protection across the EU, replacing the fragmentation of data protection as a result of the different standards and requirements of the national laws implemented the 1995 Data Protection Directive. However, far from achieving absolute harmony across the EU, the final text of the GDPR made many provisions subject to the requirements or determination of individual Member State laws.

The position after Brexit

The effect of a Brexit could be that:

  • the GDPR will no longer have direct effect on UK businesses which are only established in the UK
  • any UK business which has an establishment in another EU Member State, and the term 'establishment' has been broadly defined, may need to comply with the GDPR as a consequence of its linkage to the EU based business
  • as a consequence of the extra-territorial effect of the GDPR, the GDPR will expressly apply to any UK business which offers goods or services to individuals in the EU or monitors individuals in the EU.

What is the UK Government’s position?

On 8 November 2016, the Rt Hon Matt Hancock , in a written ministerial statement on the Triennial Review of the Information Commissioner’s Office, confirmed that the GDPR would come into force in the UK in May 2018.

This followed the appearance of Secretary of State Karen Bradley MP before the Culture, Media and Sports Select Committee on 24 October where the Minister stated that “we will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

What the Government hasn’t confirmed is the form of UK data protection law after Britain’s exit from the EU. It is, however, likely that some form of legislation very close to the text of the GDPR will be in force in the UK.

What to do now?

We would suggest that clients:

  • keep up to date on statements from the ICO and its sponsoring department, the Department of Culture, Media and Sport
  • undertake at least a high level audit of their compliance with the UK’s DPA and the significant changes in the GDPR
  • review where the business and any group companies are established
  • check whether the activities (both on and off-line) of any UK arm of their business include offering goods and services to, or monitoring the activities of, EU individuals.

Brexit and beyond: navigating the challenges ahead

Our Brexit hub provides useful information on the key areas that are likely to be affected by Brexit, the priority issues for any business or organisation and practical guidance to help you navigate the challenges ahead.

Visit the Brexit hub >

focus on...

Brexit resources

Data protection: preparing for Brexit

Although there is uncertainty about what arrangements will apply when the UK leaves the EU, there are a number of practical steps that can be taken now to prepare from a data protection perspective and to ensure that any data flows to and from the EU can continue post Brexit.

View brexit resources

Legal updates

Neocleous and another v Rees [2019] EWHC 2462 (Ch)

Following a dispute over a right of way, the parties’ solicitors agreed in an exchange of emails (constituting a single email chain) to compromise the dispute by the defendant (R) transferring to the claimants (N) a small piece of land adjacent to Lake Windermere.

View

Legal updates

Public matters - September 2019

This month is a Brexit special including general elections, public procurement, data protection and contract drafting.

View

Brexit resources

Brexit: data protection law and local authorities?

The political situation in Westminster continues to evolve and it is unclear what will happen on October 31st – in particular whether we will remain, leave, or whether there will be a transitional arrangement to bridge the gap?

View brexit resources

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up