Brexit: the data protection implications


The EU (Withdrawal) Act 2018 (the Withdrawal Act) sets out which existing EU law should be kept as UK domestic law after the UK leaves the EU. If the UK leaves the EU under a No-Deal Brexit, then, in accordance with section 3 of the Withdrawal Act, the EU’s General Data Protection Regulation (the EU GDPR) will become “retained EU law” and form part of UK domestic law on 29 March 2019 (the UK GDPR). As a result, the EU GDPR (or rather a revised version of it) will continue to apply in the UK.

The EU GDPR will need to be modified in order to make sense in the UK post-Brexit and the draft “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (the Exit Regulations) provide the statutory instrument through which these modifications would be made. The Exit Regulations contain provisions to:

  • maintain the EU GDPR standards in UK domestic law
  • maintain the extraterritorial scope of the UK data protection framework
  • require all non-UK organisations who are subject to the UK GDPR to appoint data protection representatives in the UK (if they are processing the personal data of individuals in the UK on a large scale)
  • enable flows of personal data from the UK to the EEA by initially recognising all EEA / EU countries (and Gibraltar) as “adequate”, whilst also recognising all existing adequacy decisions made by the EU (subject to ongoing review), and
  • recognise:
    • EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses, and
    • Binding Corporate Rules (BCRs) authorised prior to the UK’s exit from the EU and give the ICO the power to approve new BCRs.

No Deal Brexit - Key Data Protection Questions

Given the immediate impact that a No-Deal Brexit would have on organisations with a UK presence, we would advise organisations to consider the following key questions on how a No-Deal Brexit is likely to affect their data processing operations:

Data Protection Laws
  • Which data protection laws will apply to my organisation in the event of a No-Deal Brexit?
Data Protection Authorities and Representatives
  • Who will be my organisation’s data protection supervisory authority in the event of a No-Deal Brexit?
  • Will my organisation need to appoint any additional data protection representatives in the event of a No-Deal Brexit?
Transfers of Personal Data
  • How would a No-Deal Brexit affect how my UK organisation processes personal data within the UK?
  • Will my UK based organisation be able to continue to transfer personal data outside of the UK into the EEA in the event of a No-Deal Brexit?
  • How would a No-Deal Brexit affect my UK based organisation’s transfers of personal data to organisations outside of the EEA?
  • How would a No-Deal Brexit affect my UK based organisation’s ability to receive personal data from the EEA?
  • Will I be subject to the same fines in relation to any data protection breaches in the event of a No-Deal Brexit?

See here for our responses to these questions and more information on the topic.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.