0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

the implications of Brexit on data protection 

7 July 2017

The EU General Data Protection Regulation (GDPR) is expected to come into force in EU Member States on 25 May 2018. As the UK will then still be a member of the EU the GDPR will have direct effect on businesses established in the UK from May 2018 until Brexit.

The implications of Brexit on data protection are complex and create a great deal of uncertainty for individuals, business and the UK economy. Data protection is, for example, a key area impacting on the UK’s participation in the Digital Single Market.


The provisions of the GDPR were furiously negotiated over four years. The intention had been to create a level playing field for data protection across the EU, replacing the fragmentation of data protection as a result of the different standards and requirements of the national laws implemented the 1995 Data Protection Directive. However, far from achieving absolute harmony across the EU, the final text of the GDPR made many provisions subject to the requirements or determination of individual Member State laws.

The position after Brexit

The effect of a Brexit could be that:

  • the GDPR will no longer have direct effect on UK businesses which are only established in the UK
  • any UK business which has an establishment in another EU Member State, and the term 'establishment' has been broadly defined, may need to comply with the GDPR as a consequence of its linkage to the EU based business
  • as a consequence of the extra-territorial effect of the GDPR, the GDPR will expressly apply to any UK business which offers goods or services to individuals in the EU or monitors individuals in the EU.

What is the UK Government’s position?

On 8 November 2016, the Rt Hon Matt Hancock , in a written ministerial statement on the Triennial Review of the Information Commissioner’s Office, confirmed that the GDPR would come into force in the UK in May 2018.

This followed the appearance of Secretary of State Karen Bradley MP before the Culture, Media and Sports Select Committee on 24 October where the Minister stated that “we will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

What the Government hasn’t confirmed is the form of UK data protection law after Britain’s exit from the EU. It is, however, likely that some form of legislation very close to the text of the GDPR will be in force in the UK.

What to do now?

We would suggest that clients:

  • keep up to date on statements from the ICO and its sponsoring department, the Department of Culture, Media and Sport
  • undertake at least a high level audit of their compliance with the UK’s DPA and the significant changes in the GDPR
  • review where the business and any group companies are established
  • check whether the activities (both on and off-line) of any UK arm of their business include offering goods and services to, or monitoring the activities of, EU individuals.

Brexit and beyond: navigating the challenges ahead

Our Brexit hub provides useful information on the key areas that are likely to be affected by Brexit, the priority issues for any business or organisation and practical guidance to help you navigate the challenges ahead.

Visit the Brexit hub >

focus on...

Brexit resources

Brexit overview: your use of data and Brexit

Despite the lack of clarity around Brexit, there are key data issues that can be addressed now. We can help you with the steps you need to take to mitigate the risks.

View brexit resources

Legal updates

Corporate transparency and register reform: Government response now published

In May 2019 the Government consulted on a range of options to enhance the role of Companies House and increase the transparency of companies and other legal entities. On 18 September 2020 BEIS published the Government's response following a huge response to the consultation.


Legal updates

Schrems 2: Electric Déjà Vu?

The CJEU gave judgment in the Schrems II case on Thursday 16 July 2020. The case examined the means by which personal data can lawfully be exported to the US from the EU.


In-House Lawyers - 12 June 2020

On demand webinar, focusing on practical solutions to utilise from home in agreements and dealings with business, data and digital law and how covid-19 has changed legal privilege.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up

Select which mailings you would like to receive from us.

Sign up