Brexit and GDPR – what happens now?

So the UK has voted to leave the EU but what does this all mean for the UK implementing the new EU General Data Protection Regulations (GDPR)?  These Regulations came into force across the EU in May this year and will become directly applicable in all member states as of 25th May 2018.


The general consensus across the data protection profession, and also my own personal view, is that GDPR will be implemented in the UK regardless of the fact that we have voted to leave the EU. Here are my reasons why:


  • Firstly, it would appear that the UK is in no rush to invoke Article 50 of the Lisbon Treaty which starts the 2 year withdrawal process from the EU. It is looking highly likely that this will be invoked when the new Prime Minister has been appointed later in the year. This goes past the implementation date of 25th May 2018 when GDPR becomes applicable in all member states, of which the UK will still be a member at that time. Therefore we will still need to implement GDPR.  Even if Article 50 was triggered today it will still take us past the GDPR implementation date of 25th May 2018.


  • Secondly, when we do leave the EU, all UK businesses who process the personal data of individuals who are in the EU must comply with GDPR. See Article 3 of the GDPR which refers to the territorial scope of the regulations. This has been one of the big changes in the data protection law and it won’t just affect the UK, it is any country outside of the EU.


  • Thirdly, as a country that will sit outside the EU, we will have to ensure we have adequate levels of protection in place to safeguard the processing of EU citizen’s data – just like Safe Harbor/Privacy Shield for the USA. If we adopt GDPR the EU will not be in a position to say we don’t offer the adequate levels of protection.


  • Finally, why do we need to re-invent the wheel and write our own updated data protection law? The UK as an EU member state has contributed to the GDPR and accepted and agreed the final text. It would seem a waste of time to sit down and write our own separate law given we are satisfied with GDPR and the improvements it makes in data protection law.


So, one way or another, GDPR is on its way.


If you’re a business that gathers information about your customers/clients, suppliers and/or staff then you should be making a start on GDPR compliance. The 2 year transition period is there for a reason, it will take time to make the necessary changes to be ready to comply with GDPR as of 25th May 2018. The Information Commissioner’s Office (the UK’s data protection regulator) has produced a very useful 12 step checklist which sets out what you need to do now to prepare for GDPR.


I will also be running workshops on the new GDPR which will look at what the changes are in the law and what you need to do to get your business ready – keep an eye out for workshop dates.


In the meantime if you want any advice on the new GDPR (or existing data protection law) and what your business should be doing to safeguard an individual’s personal data give me, Samantha Dunwell, a call on 07534 258800.