Does the GDPR Apply After Brexit?

The UK is due to leave European Union on the 29th of March 2019. After lengthy negotiations with the EU, the UK are finalising their exit deal, which lays out what the UK’s relationship with the EU will look like after the UK are no longer a member state.

The GDPR is a far-reaching data protection regulation introduced by EU in 2018, which lays out stringent requirements for businesses to protect the personal data of EU citizens and residents.

Unsurprisingly, there have been many questions around the jurisdiction of the GDPR after Brexit. Despite rumours to the contrary, the GDPR will continue to influence UK Data Protection laws and UK businesses will still need to carefully plan their compliance programmes.

Why will the UK continue to comply with the GDPR?

  • The GDPR has already been passed into UK law – The Data Protection Act 2018 has now received Royal Assent, the final step in passing the law as an Act of Parliament.
  • The European (Withdrawal) Act 2018 has also received Royal Assent – it requires that all existing legislation is carried over into UK law, allowing individual laws to be reviewed and replaced, if necessary, at a later date.
  • It will be crucial that UK Data Protection legislation stands up to scrutiny by the EU after Brexit, to enable the UK to share and receive data – an essential part of international trade.
  • Any company that processes the data of EU residents will need to comply with the GDPR regardless of their location.

What it means for UK businesses

UK organisations should continue to place a focus on good data protection practice which is compliant with both the GDPR and the Data Protection Act 2018.

After Brexit, there may be additional burdens on UK organisations that share data internationally. The UK and EU could reach a formal adequacy designation, which would allow a streamlined process for data transfer by confirming that UK data protection laws meet the same or higher standards than EU legislation.

Failing a formal adequacy decision, UK businesses will be required to prepare additional legal clauses in business contracts to bind themselves to assume responsibility to process and store data in accordance with the GDPR and hold UK businesses liable if they fail to do so.

Make sure your business is prepared for any eventuality. Get Ready, Get Compliant, Stay Compliant with Sovy GDPR Privacy Essentials.