0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

the implications of Brexit on data protection 

7 July 2017

The EU General Data Protection Regulation (GDPR) is expected to come into force in EU Member States on 25 May 2018. As the UK will then still be a member of the EU the GDPR will have direct effect on businesses established in the UK from May 2018 until Brexit.

The implications of Brexit on data protection are complex and create a great deal of uncertainty for individuals, business and the UK economy. Data protection is, for example, a key area impacting on the UK’s participation in the Digital Single Market.

The GDPR

The provisions of the GDPR were furiously negotiated over four years. The intention had been to create a level playing field for data protection across the EU, replacing the fragmentation of data protection as a result of the different standards and requirements of the national laws implemented the 1995 Data Protection Directive. However, far from achieving absolute harmony across the EU, the final text of the GDPR made many provisions subject to the requirements or determination of individual Member State laws.

The position after Brexit

The effect of a Brexit could be that:

  • the GDPR will no longer have direct effect on UK businesses which are only established in the UK
  • any UK business which has an establishment in another EU Member State, and the term 'establishment' has been broadly defined, may need to comply with the GDPR as a consequence of its linkage to the EU based business
  • as a consequence of the extra-territorial effect of the GDPR, the GDPR will expressly apply to any UK business which offers goods or services to individuals in the EU or monitors individuals in the EU.

What is the UK Government’s position?

On 8 November 2016, the Rt Hon Matt Hancock , in a written ministerial statement on the Triennial Review of the Information Commissioner’s Office, confirmed that the GDPR would come into force in the UK in May 2018.

This followed the appearance of Secretary of State Karen Bradley MP before the Culture, Media and Sports Select Committee on 24 October where the Minister stated that “we will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

What the Government hasn’t confirmed is the form of UK data protection law after Britain’s exit from the EU. It is, however, likely that some form of legislation very close to the text of the GDPR will be in force in the UK.

What to do now?

We would suggest that clients:

  • keep up to date on statements from the ICO and its sponsoring department, the Department of Culture, Media and Sport
  • undertake at least a high level audit of their compliance with the UK’s DPA and the significant changes in the GDPR
  • review where the business and any group companies are established
  • check whether the activities (both on and off-line) of any UK arm of their business include offering goods and services to, or monitoring the activities of, EU individuals.

Brexit and beyond: navigating the challenges ahead

Our Brexit hub provides useful information on the key areas that are likely to be affected by Brexit, the priority issues for any business or organisation and practical guidance to help you navigate the challenges ahead.

Visit the Brexit hub >

focus on...

Legal updates

Commercial and FinTech update: 24 April 2020

The latest set of UK government financial bailout measures were announced on Monday, 20 April by HM Treasury and the Department for Business, Energy and Industrial Strategy, target Innovate UK’s R&D intensive small and medium-sized enterprises (SMEs).

View

Upcoming webinars

COVID-19 for Local Authorities, Arms Length Bodies and Government

Join our COVID-19 for Local Authorities, Arms Length Bodies and Government webinar.

View

Legal updates

Staff working from home? How do you keep data secure?

Data protection law requires every business that deals with personal data to ensure that they have “Technical and Organisational Measures ” in place to keep that data secure. Losing that data could seriously damage the company’s reputation and potentially land it with a fine from the ICO and with claims for compensation.

View

Legal updates

Data protection and Coronavirus

The ICO has recently released updated guidance for businesses who are grappling with concerns around data protection compliance during the ongoing Covid-19 (Coronavirus) pandemic

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up