Brexit and Its Impact On GDPR

The United Kingdom (UK) decided to leave the European Union (EU) in June 2016. Ever since, Brexit (British exit), which is yet to be finalized and carried out, has had a roller-coaster of a ride. The exit day has been extended multiple times to avoid a “no-deal” Brexit, that is, leaving without an agreement. The final date has been set to January 31, 2020, by the EU. From then on, the UK will enter a “grace” or “transition” period to determine the relationship with the EU, including data protection law until December 2020. In the case of a no-deal Brexit, there will not be a transition period.

The GDPR (read our guide to GDPR) in the UK has come under a lot of close reviews since the Brexit decision. This article tries to breakdown what impact Brexit will have on the GDPR compliance in the UK.

The UK government said it is committed to data protection. It will integrate the GDPR into the UK data protection law, which will be similar to the principles of the Regulation. The rights, principles, and obligations in the data protection law will remain the same as GDPR. The significant impact will be on data transfers between the UK and the EU. The government has said that the data transfer from the UK to the EU will remain uninterrupted.

The UK will most likely request an “adequacy” status from the European Commission. Adequacy means that the countries outside the EU have data protection measures that are equivalent to European standards. An adequacy decision allows uninterrupted data flow from EU countries to and from the countries outside it without further supervisory authorization. Until the UK obtains an adequacy agreement, cross-border data transfer from the EU to the UK will require legal measures and approval from the supervisory authority.

Let’s look at how the Brexit will impact GDPR with or without a deal.

GDPR After No Deal Brexit

Since there will not be a transition period in case of no deal, the GDPR will no longer apply, starting immediately from the day of the exit. However, if your organization is based in the UK, it will have to comply with the UK data protection law. Please note that the EU GDPR will still apply if you collect and process data of people in the EU. ICO will no longer remain the leading supervisory authority. It will continue to be the independent supervisory body that handles the data protection law in the country. If your organization operates in the EU and you have customers from the UK and EU, then you have to comply with both the GDPR and the UK law. For example, if you own a website from the UK that also has visitors or deals with EU customers, it will be subject to GDPR standards.

GDPR After Brexit With a Deal

In case the UK leaves with a deal, the GDPR will continue to apply until the transition period (December 31, 2020) is over. After that, it will be similar to a no-deal scenario. It will also depend on the agreement between the UK and the EU after the transition period.

Check out this FAQ on Brexit by the ICO.

Deal or no deal, the UK’s withdrawal from the EU will make the UK data protection law replace the GDPR in the country. And it will have a significant impact on organizations that deal with UK customers. Nevertheless, you should always safeguard your organization and adopt measures to comply with both the data protection laws.